The Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) jointly published a new resource as part of their ongoing efforts to promote awareness of, and help organizations defend against, supply chain risks. The publication, Defending Against Software Supply Chain Attacks, provides recommendations for software customers and vendors as well as key steps for prevention, mitigation and resilience of software supply chain attacks.

Software supply chain attacks occur when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. A software supply chain attack can occur at any phase of the supply chain, including design, development and production, distribution, acquisition and deployment, maintenance, and disposal. The risk is significant because virtually every organization relies on multiple external software vendors to provide services and products to manage the organization’s business operations (e.g., financial, human resources, data analytics, logistics, manufacturing, healthcare, and information technology software and code). Given the prevalence of supply chain cyber attacks, with the well-publicized compromise of Solar Winds and its widespread impact being the most recent example, organizations should take heed of the critically important and practical guidance for protecting their software supply chains contained in the resource.

We have previously written about supply chain risk applicable to Internet of Things (IoT) devices, including recent legislative initiatives to develop standards for government contractors and systems. In this context, the NIST cautions specifically about malicious or vulnerable software that can make its way into information and communications technology (ICT) products and services through the retailers, distributors, vendors, and suppliers that participate in their sale, delivery, and production.

The resource highlights three common, and not mutually exclusive, software supply chain attack techniques:

  • Hijacking Updates: where a malicious actor inserts malware into a routine software update by infiltrating a vendor’s network.
  • Undermining Codesigning: where a malicious actor inserts malicious code into an update by impersonating a trusted vendor.
  • Compromising Open-Source Code: where a malicious actor inserts code into a publicly accessible “open-source” code library, which may then be unintentionally incorporated by software developers into products sold to consumer organizations. Recent vulnerabilities found in publicly available DNS code highlights this method of attack.

Organizations are vulnerable to software supply chain attacks through common products such as, antivirus, IT management and remote access software, all of which typically require frequent communication with the software vendor for updates. For example, the December 2020 SolarWinds hack involved a software supply chain attack on an IT management tool, SolarWinds’ Orion platform, in which a foreign threat actor inserted a “backdoor” into routine software updates, which allowed the threat actor to gain access to numerous government and private sector networks.  Once a malicious actor has gained access to an organization’s network through a software supply chain attack, follow-on actions can include data or financial theft, eavesdropping on sensitive communications and business plans, and disabling networks or systems.

In Defending Against Software Supply Chain Attacks, the NIST provides recommendations to organizations acquiring software or other ICT products and services. To start, the NIST recommends establishing a formal, organization-wide cyber supply chain risk management (C-SCRM) program to ensure that supply chain risk receives attention across the organization, including from executives and managers within operations and personnel across supporting roles. An effective supply chain risk management program can mitigate risk through, among other things, establishing security requirements or controls for software and ICT product suppliers, assessing supplier certifications and component inventory, and ensuring that vendors enforce supply chain security requirements, including through contracts and other safeguards.

In addition to preventative C-SCRM programs, the NIST recommends that organizations develop and implement a vulnerability management program to scan for, identify, triage, and mitigate existing software vulnerabilities. An appropriate vulnerability management program enables an organization to conduct security impact analyses, implement manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintain information system component inventory.

The NIST also recommends that organizations use resilience measures where threat actors have successfully exploited vulnerable software. These include pre-identifying alternative software suppliers, and identifying and establishing failover processes in the event of a compromise.

Organizations subject to regulatory standards to protect personal, health and other sensitive information (e.g., Gramm-Leach Bliley, HIPAA, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act and Biometric Information Protection Act) are already required to use reasonable safeguards to secure protected information in their supply chains. It is critical, however, that all organizations plan for the cybersecurity of their software and ICT products and services and take reasonable steps to ensure that C-SCRM procedures are in place, and that vulnerabilities are addressed in a timely manner consistent with risk.

Defending Against Software Supply Chain Attacks provides helpful guidance for organizations in taking steps to secure their systems against software supply chain attacks that can compromise protected information. These measures include:

  • Developing a written program to address software supply chain risk, including as required under applicable data protection statutes and regulations.
  • Inventorying organizational reliance on external software and code across all operational departments.
  • Assessing risk from these vendors and adopting appropriate contractual and other safeguards.
  • Coordinating efforts across management, IT, personnel, compliance, product development and operational departments.
  • Monitoring the threats and vulnerabilities to the software supply chain, including through technical measures and threat analysis, on an ongoing basis.

EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and develop information security programs, manage supply chain risk and identify recognized security practices that may bolster practical security and improve compliance defensibility. Any questions may be directed to the authors or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management GroupBrian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green.

As featured in #WorkforceWednesday: This week, we focus on the Centers for Disease Control and Prevention’s (CDC’s) new guidance for vaccinated individuals and what it means for accommodations.

Employers Navigate New CDC Guidance for Fully Vaccinated Individuals

Last week, the CDC updated its guidelines to state that it is safe for fully vaccinated people to resume normal activities without masks or social distancing “except where required by federal, state, local, tribal, or territorial laws, rules, and regulations, including local business and workplace guidance.” Attorneys Shira Blank and Susan Gross Sholinsky explain what this means for employers and businesses that are places of public accommodation.


NY Enacts “First in the Nation” HERO Act

New York Governor Andrew Cuomo has signed the Health and Essential Rights Act (HERO Act), a “first in the nation” law. The HERO Act requires New York agencies to develop an industry-specific model airborne infectious disease exposure prevention standard that will establish minimum workplace requirements beyond the COVID-19 pandemic. Click for more.

Ninth Circuit Says CA ABC Test Not Preempted by Federal Aviation Administration Authorization Act (FAAAA)

For decades, the practice of motor carriers arranging for freight to be transported by independent owner-operators—i.e., independent contractors who drive their own trucks—has been ubiquitous. However, this practice is now under threat in California because of the Ninth Circuit’s recent decision in CTA v. BontaRead more about the decision.

Visit our site for more news.

During a May 10, 2021 press conference, Governor Andrew Cuomo announced his intention to propose legislation aimed at stopping discrimination against those who choose to get vaccinated against the COVID-19 virus. Unlike many states that are introducing legislation to prevent discrimination against those who are unvaccinated, this bill would protect those who are vaccinated.  The Governor referenced a report that certain summer camps are not allowing campers to attend or staff members to work at the camp if they have received the vaccine. Audio of his remarks is available here.

Governor Cuomo stated, “I want to propose a law that says you can’t discriminate against a person who has a vaccine… I understand the anti-vaccine argument. In my opinion, there is no science to it. There is no science to it. You can have a theory, you can have a belief, but you can’t use that to make public policy without science and without data.”

The Governor did not lay out a timeline for when the legislation could be presented to state legislators, nor did he provide any further specifics regarding his proposal, including whether the bill could impact employers who are choosing to treat vaccinated and unvaccinated employees differently in terms of returning to the physical workplace. Epstein Becker & Green will monitor the proposed legislation and provide updates as they become available.

The Illinois Employee Sick Leave Act (“Act”) is what is known as a “kin care” law; i.e., it generally requires Illinois employers that provide paid or unpaid personal sick leave benefits to their employees to allow employees to use such leave to attend to a covered family member’s illness or injury, “on the same terms” as the employees would use their sick leave benefits for their own illness or injury. A “covered family member” means an employee’s “child, stepchild, spouse, domestic partner, sibling, parent, mother-in-law, father-in-law, grandchild, grandparent, or stepparent.” The Act does not mandate that employers provide sick leave benefits; rather, it only expands the purposes for which employees may use such benefits, should the employer provide them.

Now, under an amendment to the Act, signed into law on April 27, 2021 by Governor J.B. Pritzker, the Act permits employees to use their personal sick leave benefits to attend to the “personal care” of a covered family member. The amendment defines “personal care” as “activities to ensure that a covered family member’s basic medical, hygiene, nutritional, or safety needs are met, or to provide transportation to medical appointments, for a covered family member who is unable to meet those needs himself or herself.” “Personal care” also includes “being physically present to provide emotional support to a covered family member with a serious health condition who is receiving inpatient or home care.”

As a reminder, the Act permits employers to limit the use of personal sick leave benefits for kin care to “an amount not less than the personal sick leave that would be earned or accrued during 6 months at the employee’s then current rate of entitlement.” Employers who calculate personal sick leave benefits on an employee’s years of service, instead of on annual or monthly accrual, may limit the amount of sick leave to be used for family members “to half of the employee’s maximum annual grant.”

Further, an employer’s kin care policy may require employees to provide written verification of the employee’s absence for kin care from a health care professional, as long as the employer requires such verification when employees use sick leave for absences due to their own illness or injury.

Illinois employers that provide sick leave benefits should ensure that their policies reflect this recent change in the law.

The City of Chicago recently enacted the Chicago COVID-19 Vaccine Anti-Retaliation Ordinance.

The Vaccine Anti-Retaliation Ordinance allows workers in Chicago – including independent contractors — to get vaccinated during a scheduled “shift,” requires pay for hours taken to get vaccinated (if an employer mandates the vaccine), and prohibits retaliation for getting vaccinated during a scheduled shift.

Specifically, the Chicago Vaccine Anti-Retaliation Ordinance provides as follows:

  1. An employer may not require that a worker only be vaccinated during “non-shift” hours or retaliate against a worker for taking time during a “shift” to get vaccinated. A “shift” is defined as “the consecutive hours an Employer schedules a Worker to work, including Employer-approved meal periods and rest periods.”
  2. An employer must allow a worker to use accrued paid sick leave or other paid time off to get vaccinated.
  3. If an employer requires a worker to get vaccinated, the employer must compensate the worker for the time, up to four hours per dose, if the vaccine appointment is during a “shift,” and the employer cannot require the worker to use accrued paid sick leave or paid time off to cover the hours missed to get vaccinated.

The Ordinance provides that Employers found to have violated this Ordinance will be liable for “a fine of between $1,000 and $5,000,” but the Ordinance provides no further detail regarding how any potential fine is to be calculated. Additionally, workers subject to a violation of this Ordinance may recover in a civil action reinstatement to either the same position held before the retaliatory action or to an equivalent position, damages equal to three times the full amount of wages that would have been owed had the retaliatory action not taken place, as well as any other actual damages and attorney’s fees.

The bottom line is this:  Chicago employers should review their company policies to ensure that they do not run afoul of these newly enacted worker protections.

On March 3, 2021, New York City Mayor Bill DeBlasio issued Executive Order No. 64 (“EO”), which, effective immediately, imposes new sexual harassment reporting requirements on “human services” providers who contract with the City.  The EO requires the Department of Investigation (“DOI”) to review information about sexual harassment complaints and provide its findings to any City agency that contracts with the disclosing provider.

“Human services” is defined by the relevant section of the Administrative Code to include “day care, foster care, home care, homeless assistance, housing and shelter assistance, preventive services, youth services, and senior centers; health or medical services including those provided by health maintenance organizations; legal services; employment assistance services, vocational and educational programs; and recreation programs.”

The EO mandates that all City agencies that contract with outside entities for the provision of human services amend existing contracts to require that the contractors provide information about sexual harassment complaints, whether made by an employee, client, or other person.  Specifically, such amendment shall require the contractor to make available to the DOI the following:

  • The contractor’s anti-harassment policies, including reporting procedures (to be submitted to the DOI via PASSPort, the City’s digital procurement portal);
  • Any complaint or allegation of sexual harassment, or retaliation on the basis of a sexual harassment complaint, brought by any person against the Chief Executive Officer or equivalent principal of the organization in any venue, including the organization’s internal equal employment opportunity process. The contractor should redact the names and identifying information of individuals, except the accused, and provide the complaint to the DOI within 30 days of receipt via secure means to be determined by the DOI;
  • The final determination or judgment concerning any such complaint, also redacted as to the name and identifying information of individuals other than the accused; and
  • Any additional information the DOI requests in order to effectuate its review of any investigation and determination, including redacted information.

The contractor’s Board of Directors or “equivalent authority” must certify annually that it has made all required disclosures or that it has no new information to report.  Notably, the EO does not give contractors the discretion to withhold unsubstantiated complaints or allegations.  The reporting obligations under the EO do not relieve the contractor of its duty to investigate sexual harassment complaints or allegations, or of any other contractual obligations.

The DOI, upon review of a contractor’s disclosures, will share its findings with City agencies, which may consider the findings, as well as a contractor’s failure to comply with the disclosure requirements, when awarding or renewing a contract.  City agencies are to begin immediately amending existing contracts to include the new disclosure requirements and ensure that all future contracts reflect these provisions.

Epstein Becker & Green is continuing to monitor these developments and will provide further updates as they become available.

As featured in #WorkforceWednesday:  While the Equal Employment Opportunity Commission says that employers can institute mandatory vaccination policies, there are many legal considerations that come with those policies, especially as more employees return to work. And employers that do not mandate vaccines are wondering what workplace rules they can implement without legal risk. Attorneys Jennifer Barna and Nathaniel Glasser tell us more. You can also read more about the legal considerations of mandating vaccination.

Video: YouTubeVimeo.
Podcast: Apple PodcastsGoogle PodcastsOvercastSpotifyStitcher.


On May 3, 2021, New York Governor Andrew Cuomo and New Jersey Governor Phil Murphy announced a significant easing of COVID-19-related capacity restrictions on businesses in their respective states. Governor Ned Lamont of Connecticut, who joined the other two governors in the announcement, had previously ordered a comparable lifting of capacity restrictions in his state.

Specifically, effective May 19, New Jersey and New York will remove most capacity limitations on businesses, which are currently based on a percentage of maximum capacity, and replace them with limitations based on the space available for individuals to comply with the social distancing mandate of six-feet; Connecticut’s easing of restrictions will also be in place by May 19. It is not yet clear how the new social-distancing requirement will be enforced, since, as of this writing, only Governor Murphy has issued an executive order regarding the removal of capacity limitations for businesses, and it does not contemplate enforcement. Additionally, no other formal guidance has been issued.

The New York and New Jersey announcement provides that “this new distance-based maximum capacity will apply across commercial settings,” including retail stores, food services, gyms and fitness centers, amusement parks, museums, and beauty salons. As Governor Cuomo stated in the press conference accompanying the announcement, the new standard applies to office-based businesses as well, although the text of the announcement does not explicitly reference offices.

Governor Cuomo cited increased vaccination rates and the general decline of COVID-19 cases in New York when announcing the easing of the capacity restrictions, which he characterized as a move “towards returning to normal.”

The current announcement comes on the heels of Governor Cuomo’s announcement last week that, effective May 15, office capacity in the state would increase from 50 percent to 75 percent. Governor Murphy also made a similar announcement last week that, effective May 10, indoor room capacity for certain events would increase to 50 percent, with a maximum of 250 individuals. These decisions now appear to be superseded by the most recent announcement.

Epstein Becker & Green is continuing to monitor these developments and will provide further updates as they become available.


Christopher Shura Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, contributed to the preparation of this post.

As featured in #WorkforceWednesday:  This week, several COVID-19 vaccine news developments and updates were announced for employers.

Paid Leave Tax Credit for Employers

President Biden recently announced employers that offer full pay to workers for vaccinations and recovery may be entitled to a paid leave tax credit.

EEOC Promises Guidance on COVID-19 Vaccine Incentive Programs

EEOC acting legal counsel Carol Miaskoff said recently that the agency will release guidance on vaccine incentive programs.

OSHA Offers Guidance on Vaccine Reaction Reporting

Guidance from OSHA states that only employers that mandate vaccines are required to record adverse reactions. This applies to all employers that penalize employees with employment consequences if they don’t get vaccinated.

Video: YouTubeVimeo.