Workforce Bulletin

As featured in #WorkforceWednesday: This week, we’re breaking down the California Privacy Protection Agency (CPPA) Board’s new regulations impacting employers:

Last month, the CPPA Board met to discuss several new regulations that could impact employers in California and beyond. Among them were draft regulations for automated decision-making technology, an initiative that’s part of a larger trend across the country to regulate the use of technology in the workplace. Additionally, new cybersecurity audit regulations were discussed. Epstein Becker Green attorneys Nathaniel Glasser and Brian G. Cesaratto explain these new draft regulations and the potential impacts on employers.

On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.

As featured in #WorkforceWednesday:  This week, we’re taking a closer look at ChatGPT, exploring the opportunities and risks associated with this artificial intelligence (AI) technology, and providing valuable insights for employers who are looking to stay ahead of the curve:

ChatGPT is set to become the next big thing for employers and beyond. What potential issues should employers be aware of? Epstein Becker Green attorney Brian G. Cesaratto explains how critical it is for employers to think through the workplace-related risks.

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect ...

Enacted on December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 (the “IoT Act”) is expected to dramatically improve the cybersecurity of the ubiquitous IoT devices.[1] With IoT devices on track to exceed 21.5 billion by 2025, the IoT Act mandates cybersecurity standards and guidelines for the acquisition and use by the federal government of IoT devices capable of connecting to the Internet. The IoT Act, and the accompanying standards and guidance being developed by the National Institute of Standards and Technology (NIST) will directly affect ...

As featured in #WorkforceWednesday: As the uncertainty with the COVID-19 pandemic continues, many employers are considering extended or permanent work-from-home (WFH) models. Attorneys Brian G. Cesaratto and Shawndra G. Jones share some tips for employers on cybersecurity and other issues to consider when implementing extended WFH models.

Video: YouTube, Vimeo, MP4, Instagram.

Many more millions of employees have been working remotely as a result of the devastating COVID-19 virus than ever before.  There is likely no going back.  Employers have been relying on a remote workforce by necessity in the short term and are realizing that in the long term they can operate efficiently and productively with their staff largely out of the office.  The public health risks will, for the foreseeable future, be the driver both on employers’ need for a remote workforce to achieve continuity of operations and employees’ demand for a safer work location.  The increased ...

On March 10, 2020, the New York Department of Financial Services (“DFS”), which regulates a wide variety of financial institutions, including banks, insurance companies, and investment advisors doing business in New York, issued a series of letters regarding the response to the Novel Coronavirus (“COVID-19”).   In addition to providing guidance, DFS has asked all regulated financial institutions to provide “assurance” that they have plans to address the operational and financial risks associated with COVID-19.  A copy of the letter to regulated financial ...

Time is running out. The effective date of New York’s cybersecurity law mandating that organizations implement an information security program to protect “private information” of New York State residents, including employee and consumer data, is now only 45 days away. New York’s law requires the implementation of a cybersecurity program, including reasonable protective measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately take steps to comply with the Act’s requirements effective March ...

New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020 ...

The recently proposed amendment to the California Consumer Privacy Act (CCPA) should be a wake up call to those employers who are not already actively planning for the January 1, 2020 compliance deadline.

The amendment reaffirms that employers must (i) provide employees with notice of the categories of personal information collected and the purposes for which the information shall be used at or before collection; and (ii) implement reasonable cybersecurity safeguards to protect certain employee personal information or risk employee lawsuits, including class actions seeking ...

On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology ...

Technology, media, and telecommunications organizations are at the forefront of tackling new challenges in handling employee information and managing employee populations. As legislatures (from the federal level down to states and cities) address how technology impacts today’s new workforce, employers must grapple with changes in managing data—from privacy concerns to the use of artificial intelligence in employment matters—and keeping workers happy, including dealing with wage increases, the rise in union activity, and contingent workers in the #MeToo era. A changing workplace landscape requires creative thinking and outside-the-box solutions.

Washington State is considering sweeping legislation (SB 5376) to govern the security and privacy of personal data similar to the requirements of the European Union’s General Data Protection Regulation (“GDPR”). Under the proposed legislation, Washington residents will gain comprehensive rights in their personal data. Residents will have the right, subject to certain exceptions, to request that data errors be corrected, to withdraw consent to continued processing and to deletion of their data. Residents may require an organization to confirm whether it is processing ...

There is a visceral and palpable dynamic emerging in global workplaces: tension.

Tension between what is potentially knowable—and what is actually known.   Tension between the present and the future state of work.  Tension between what was, is, and what might become (and when).  Tension between the nature, function, and limits of data and technology.

The present-future of work is being shaped daily, dynamically, and profoundly by a host of factors—led by the exponential proliferation of data, new technologies, and artificial intelligence (“AI”)—whose impact cannot be understated.  Modern employers have access to an unprecedented amount of data impacting their workforce, from data concerning the trends and patterns in employee behaviors and data concerning the people analytics used in hiring, compensation, and employee benefits, to data that analyzes the composition of the employee workforce itself.  To be sure, AI will continue to disrupt how virtually every employer views its human capital model on an enterprise basis. On a micro level, employers are already analyzing which functions or groups of roles might be automated, augmented, or better aligned to meet their future business models.

And, yet, there is an equal, counterbalancing force at play—the increased demand for accountability, transparency, civility, and equity.  We have already seen this force playing out in real time, most notably in the #MeToo, pay equity, and data privacy and security movements.  We expect that these movements and trends will continue to gain traction and momentum in litigation, regulation, and international conversation into 2019 and beyond.

We have invited Epstein Becker Green attorneys from our Technology, Media & Telecommunications (“TMT”) service team to reflect and opine on the most significant developments of the year.  In each, we endeavor to provide practical insights to enable employers to think strategically through these emergent tensions and business realities—to continue to deliver value to their organizations and safeguard their goodwill and reputation.

Join Epstein Becker Green attorneys, Brian G. Cesaratto and Brian E. Spang, for a discussion of how employers can best protect their critical technologies and trade secrets from employee and other insider threats. Topics to be discussed include:

• Determining your biggest threat by using available data
• What keeps you up at night?
• Foreseeing the escalation in risk, from insider and cyber threats to critical technologies
• New protections and remedies under the Trade Secret Protection Act of 2014
• Where are your trade secrets located, and what existing protections are in place?
• What ...

We published an article with NYSBA Labor and Employment Law Journal, titled “Employee Threats to Critical Technologies Are Best Addressed Through a Formalized Insider Threat Risk Assessment Process and Program.” With the New York State Bar Association's permission, we have linked it here.

It is highly likely that the National Association of Insurance Commissioners (“NAIC”) will adopt a model data cyber security law premised largely on the New York State Department of Financial Services (“NYSDFS”) cyber security regulations.  Recently, we discussed the NYSDFS’ proposed extension of its cyber security regulations to credit reporting agencies in the wake of the Equifax breach.  New York Governor Andrew Cuomo has announced, “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be ...

New York State has issued proposed regulations extending existing regulations requiring banks and other financial institutions to have in place a comprehensive cybersecurity program to credit reporting agencies.  Governor Mario Cuomo announced that “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles, evaluates or maintains a consumer credit report on NYS consumers must register with ...

Employers across all industries are deep in the midst of exciting but unchartered and fluid times. Rapid and unforeseen technological advancements are largely responsible for this dynamic. And while there is a natural tendency to embrace their novelty and potential, the reality is that these advancements are often outpacing our regulatory environment, our bedrock legal constructs, and, in some cases, challenging the traditional notions of work itself.

For employers, this presents numerous challenges and opportunities—from the proper design of the portfolio of the modern ...

Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because ...