As featured in #WorkforceWednesday®: This week, we’re interpreting the U.S. Department of Labor’s (DOL’s) recently updated cybersecurity guidance for all employee benefit plans covered under the Employee Retirement Income Security Act (ERISA).
The DOL recently clarified that its 2021 cybersecurity guidance applies to all ERISA-covered employee benefit plans, including health and welfare plans. This clarification raises important questions for employers regarding compliance and security.
Epstein Becker Green attorneys Brian G. Cesaratto and Samuel C. Nolan provide their analysis of the key cybersecurity considerations and best practices for risk mitigation that employers should consider in light of the updated guidance.
The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.
In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals.
On December 8, 2023, the California Privacy Protection Agency (“CPPA”) Board (the “Board”) held a public meeting to discuss, among other things, regulations addressing: (1) cybersecurity audits; (2) risk assessments; and (3) automated decisionmaking technology (“ADMT”). After years in the making, the December 8 Board meeting was another step towards the final rulemaking process for these regulations. The Board’s discussion of the draft regulations revealed their broad implications for businesses covered by the California Consumer Privacy Act ...
In this special year-end episode of Employment Law This Week, recorded live from our 42nd Annual Workforce Management Briefing in New York City, Epstein Becker Green attorneys discuss the biggest employment law trends and crucial workforce changes in 2023, covering everything from non-competes and National Labor Relations Board actions to union dynamics, cybersecurity, and the impacts of artificial intelligence.
Podcast: Amazon Music, Apple Podcasts, Audacy, Audible, Deezer, Goodpods, iHeartRadio, Overcast, Pandora, Player FM, Pocket Casts, Spotify, YouTube Music.
***
Employment Law This Week® gives a rundown of the top developments in employment and ...
The five-member Board of the California Privacy Protection Agency (the “CPPA”) held a public meeting on September 8, 2023, to discuss a range of topics, most notably, draft regulations relating to risk assessments and cybersecurity audits. Once the regulations are finalized and approved after a formal rulemaking process, they will impose additional obligations on many businesses covered by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). The Board’s discussion of these draft regulations is instructive for ...
California businesses, including employers, that have not already complied with their statutory data privacy obligations under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including as to employee and job applicant personal information, should be taking all necessary steps to do so. See No More Exceptions: What to Do When the California Privacy Exemptions for Employee, Applicant and B2B Data Expire on January 1, 2023. As background, a covered business is one that “does business” in California, and either has annual gross revenues of $25 million, annually buys sells or shares personal information of 100,00 consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. It also applies, in certain circumstances, to entities that control or are controlled by a covered business or joint ventures. Covered businesses may be exempt from obligations under certain enumerated entity-level or information-level carve-outs.
On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.
As reported in a June 3, 2022 press release from the House Committee on Energy and Commerce, U.S. Representatives Frank Pallone, Cathy McMorris Rodgers, and Senator Roger Wicker released a “discussion draft” of a federal data privacy bill entitled the “American Data Privacy and Protection Act” (the “Draft Bill”), which would impact the data privacy and cybersecurity practices of virtually every business and not-for-profit organization in the United States.
As further described below, the Draft Bill’s highlights include: (i) a comprehensive nationwide data privacy framework; (ii) preemption of state data privacy laws, with some exceptions; (iii) a private right of action after four (4) years, subject to the individual’s prior notice to the Federal Trade Commission (“FTC”) and applicable state attorney general before commencement of lawsuit; (iv) exemptions for covered entities that are in compliance with other federal privacy regimes such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Gramm-Leach Bliley Act (“GLBA”) solely with respect to data covered by those statutes; (v) exclusions from Act’s requirements for certain “employee data”; and (vi) a requirement for implementation of reasonable administrative, technical and physical safeguards to protect covered data. The Draft Bill would be enforced by the FTC, and violations treated as unfair or deceptive trade practices under the Federal Trade Commission Act, as well as by state attorneys general.
As featured in #WorkforceWednesday: This week, we look at H.R. 4445, new federal legislation that addresses mandatory arbitration of sexual assault and harassment claims.
As featured in #WorkforceWednesday: This week, we focus on new developments increasing whistleblower protections across the country and prohibiting mandatory arbitration of sexual assault and harassment claims.
Recent data thefts and systems intrusions, particularly with respect to ransomware, have assured that cybersecurity is top of mind for corporate executives and compliance officials. We at EBG have tried to keep you up to date with respect to legislative, regulatory and litigation developments and recommended best practices and procedures.
As we close out the year, we all should remain mindful that cyber criminals, especially those who are supported or protected by foreign adversaries, have little incentive to rest up during the holidays.
A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect ...
Enacted on December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 (the “IoT Act”) is expected to dramatically improve the cybersecurity of the ubiquitous IoT devices.[1] With IoT devices on track to exceed 21.5 billion by 2025, the IoT Act mandates cybersecurity standards and guidelines for the acquisition and use by the federal government of IoT devices capable of connecting to the Internet. The IoT Act, and the accompanying standards and guidance being developed by the National Institute of Standards and Technology (NIST) will directly affect ...
In our previous blog, we featured the California Privacy Rights Act’s Enhanced Cybersecurity Safeguards.[1] We now highlight significant privacy safeguards under the California Privacy Rights Act (“CPRA”) that will require advance planning in preparation for its January 1, 2023 effective date.[2] These new requirements will impact the collection and use of personal information across each organization. In particular, businesses, at a minimum, will need to assess and plan for:
- the effective implementation of data minimization policies, practices, and ...
The California Privacy Rights Act (“CPRA”) leaps forward on cybersecurity by amending the California Consumer Privacy Act (“CCPA”) to impose enhanced protections. The CPRA enhancements apply to “for profit” companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information ...
New York attorneys could soon have to complete cybersecurity training courses to satisfy their continuing legal education (“CLE”) requirement. The House of Delegates of the New York State Bar Association (“NYSBA”) has approved a report proposing that NYSBA’s Executive Committee recommend to the New York State Continuing Legal Education Board that the biennial CLE requirement be amended to require one credit on cybersecurity. The Committee on Technology and the Legal Profession (the “Committee”), which submitted the report, recognized the mounting ...
Many more millions of employees have been working remotely as a result of the devastating COVID-19 virus than ever before. There is likely no going back. Employers have been relying on a remote workforce by necessity in the short term and are realizing that in the long term they can operate efficiently and productively with their staff largely out of the office. The public health risks will, for the foreseeable future, be the driver both on employers’ need for a remote workforce to achieve continuity of operations and employees’ demand for a safer work location. The increased ...
As featured in #WorkforceWednesday: With all the challenges businesses are facing, it is hard to stay focused on data security. Hackers see the newly remote workforce as an opportunity, and phishing attacks are on the rise. Employers can fight back in a few ways:
- Educate employees.
- Update training materials and work-from-home policies.
- Get security patches to employee devices quickly.
- Update your data breach response plan and communicate it.
- Remind your employees to help keep data secure by password-protecting devices with strong passwords and protecting sensitive ...
As the United States and the rest of the world hunker down in their homes to slow the spread of the novel coronavirus (COVID-19), many organizations have implemented “working-from-home” procedures that are designed to protect the health of the employees. Working-from-home, however, presents heightened threats to the cybersecurity of benefit plans, including the plan’s assets and employee data that is collected, transmitted, and stored with regard to employee benefit plans. Plan sponsors and fiduciaries have asked about the particular risks that working-from-home ...
Time is running out. The effective date of New York’s cybersecurity law mandating that organizations implement an information security program to protect “private information” of New York State residents, including employee and consumer data, is now only 45 days away. New York’s law requires the implementation of a cybersecurity program, including reasonable protective measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately take steps to comply with the Act’s requirements effective March ...
New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020 ...
On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology ...
Our colleague Brian Cesaratto at Epstein Becker Green has a post on the Health Law Advisor Blog that will be of interest to our readers in the technology industry: "Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat."
Following is an excerpt:
Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring ...
Our colleague NIST Seeks Comments on Cybersecurity Standards for Patient Imaging Devices.”
at Epstein Becker Green has a post on the Health Law Advisor blog that will be of interest to our readers in the technology industry: “Following is an excerpt:
The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the ...
As 2017 comes to a close, recent headlines have underscored the importance of compliance and training. In this Take 5, we review major workforce management issues in 2017, and their impact, and offer critical actions that employers should consider to minimize exposure:
- Addressing Workplace Sexual Harassment in the Wake of #MeToo
- A Busy 2017 Sets the Stage for Further Wage-Hour Developments
- Your “Top Ten” Cybersecurity Vulnerabilities
- 2017: The Year of the Comprehensive Paid Leave Laws
- Efforts Continue to Strengthen Equal Pay Laws in 2017
Our colleague of Epstein Becker Green authored an article in Confero, titled “Managing Employee Benefits in the Face of Technological Change.”
Following is an excerpt - click here to download the full article in PDF format:
There are many employee benefits challenges facing employers today, from determining the scope and scale of traditional benefits programs to offer that will attract, motivate and retain multigenerational employees, to embracing new models for defining and providing benefits, while simultaneously managing costs. In the midst of ...
New York State has issued proposed regulations extending existing regulations requiring banks and other financial institutions to have in place a comprehensive cybersecurity program to credit reporting agencies. Governor Mario Cuomo announced that “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”
Under the proposed regulations, every consumer reporting agency that assembles, evaluates or maintains a consumer credit report on NYS consumers must register with ...
In the new issue of Take 5, our colleagues examine five employment, labor, and workforce management issues that will continue to be reviewed and remain top of mind for employers under the Trump administration:
Read the full Take 5 online or download ...Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including ...
Michelle Capezza of Epstein Becker & Green recently returned from the TechAmerica DC Fly-in held February 10th and 11th in Washington, D.C., a Tech Policy Summit that brought together members of technology councils, business leaders and academicians from across the country to discuss various policies and legislation impacting today’s technology companies and our economy. As a member of the New Jersey Technology Council and an NJTC Ambassador, Michelle joined the NJTC delegation for this summit which included James Barrood (President and CEO-NJTC), Karen Lisnyj (Government ...
Blog Editors
Recent Updates
- Video: FTC Exits Labor Pact, EEOC Alleges Significant Underrepresentation in Tech, Sixth Circuit Affirms NLRB Ruling - Employment Law This Week
- Massachusetts High Court Rules That Franchisees Are Independent Contractors
- Video: New DOL Guidance - ERISA Plan Cybersecurity Update - Employment Law This Week
- Video: DOL Authority Challenged - Key Rulings on Overtime and Tip Credit - Employment Law This Week
- Deepfakes: Why Executive Teams Should Prepare for the Cybersecurity and Fraud Risks