In This Issue
March 2018 - May 2018 | Volume 6 Issue 2
- Employee Benefit Satisfaction has Direct Relation to Job Fulfillment
- When a Third Party Becomes the Harasser: How the #MeToo Movement May Impact Your Workforce in the Most Unsuspecting Way
- State Data Breach Notification Laws: Overview of the Patchwork
- Effective October 29, 2018, New Jersey Enacts Statewide Paid Sick Leave
- California Supreme Court Broadens Definition of Employee in Independent Contractor Analysis
Employee Benefit Satisfaction has Direct Relation to Job Fulfillment
A link between the satisfaction workers feel about their benefits — both employment based and voluntary — has a direct relation with retention opportunities for employers.
Eight in 10 employees who ranked their benefits satisfaction as extremely or very high also ranked job satisfaction as extremely or very high, according to Employee Benefit Research Institute’s recent 2017 Health and Workplace Benefits Survey. Additionally, nearly two-thirds of respondents who ranked benefits satisfaction as extremely or very high ranked their morel as excellent or very good.
“It is important for employers to understand that benefits continue to be valued by employees,” says Paul Fronstin, director of the health research and education program at EBRI. “Health insurance, retirement plans, dental, vision and life insurance continue to be highly important when making job change decisions.”
In fact, the survey finds that more than four in 10 respondents say they would forgo a wage increase to receive an increase in their work-life balance benefits, and nearly two in 10 state a preference for more health benefits and lower wages.
Employees continue to indicate benefits play a key role in whether to remain at a job or choose a new job. Since 2013, health insurance consistently remains one of the top benefits that employees consider in assessing a job change.
Last year, 83% say health insurance is very or extremely important in deciding whether to stay in or change jobs. A retirement savings plan is also one of the critical benefits, with 73% indicating it is extremely or very important in determining whether to stay in or switch jobs.
Although employees say they are generally satisfied with the employee benefits provide today, there is a growing concern benefit programs might start to dwindle. When asked, only 19% of respondents say they are extremely confident in what will be provided will be similar to what they have now in three years.
Other challenges remain
“The challenge is how employers can continue to provide the strong employee benefits package that employees want and need, while still controlling the costs of these benefits, particularly healthcare,” Fronstin notes.
Employee education on benefit offerings could use some beefing up. According to the study a little more than one-half (52%) of employees say they understand their health benefits and 43% indicate they understand their non-health benefits very/extremely well.
Some of this limited understanding of benefits may come from the lack — or perceived lack — of benefit educational opportunities that employees are receiving from their employer, according to the study.
Nearly one-third (31%) of employees indicate that their employer or benefits company provides no education or advice on benefits. Only 39% state that their employer provides education on how health insurance works, 24% say that their employer provides education on how a health savings account works, and 28% confirm that their employer offers education on how to invest money in their retirement plan.
In any case, Fronstin adds, “as employers weigh the future of benefits, they should consider that health insurance consistently remains one of the top benefits that employees consider in assessing a job change, with retirement savings plan also viewed as a critical benefit.”
When a Third Party Becomes the Harasser: How the #MeToo Movement May Impact Your Workforce in the Most Unsuspecting Way
By: Jennifer L. Curry
State Data Breach Notification Laws: Overview of the Patchwork
By: Joseph J. Lazzarotti, Jason C. Gavejian, Maya Atrakchi, Jackson Lewis
The nation’s patchwork of state data breach notification laws is now complete. All 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted breach notification laws requiring private organizations or government entities to notify individuals of a security breach involving their personally identifiable information.
The last two states, Alabama and South Dakota, enacted data breach notification statutes in March. The Alabama Data Breach Notification Act goes into effect on May 1, 2018. The South Dakota law will take effect on July 1, 2018.
Additionally, many other states, in response to trends, heightened public awareness, and a string of large-scale data breaches, have continued amending their existing laws. This means data breach notification laws change frequently and keeping up with them can be a challenge.
Requirements Vary
The first state data breach notification law was enacted in 2002 in California. It soon became the model for other states’ breach notification laws. In addition, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) adopted a similar structure for covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Common provisions among the breach notification laws include:
- Notification to affected state residents without unreasonable delay;
- Notification to certain agencies including state attorneys general and/or consumer reporting agency under certain circumstances;
- Notification exceptions for good-faith access by an employee, encryption of the data, and determinations of low risk of harm;
- Specific requirements for the content of the notification; and
- Civil penalties enforced by the state’s attorney general. While all states require notification “without unreasonable delay,” some states provide a specific timeframe by which notification must be made to affected individuals following discovery of the breach (e.g., within 30, 45, or 60 days).Businesses operating in multiple states must be alert to the requirements in the various jurisdictions and the growing trends in recent amendments. This chart provides a brief summary of some of the key features of state breach notification laws and the states with those features.
- Selected State Provisions
- Further, in some states, only the state’s attorney general may institute an action for a violation of the state’s law, while other states permit a private cause of action by an affected individual.
- Despite these common threads, abundant variations exist among state law provisions. For example, in some states, notification to state agencies is required only when a certain number of residents of the state are affected by the breach. In other states, notification to state agencies is required regardless of the number of affected residents.
Selected Provisions | States/Jurisdictions |
Expanded definition of personal information | Alabama, Alaska, California, Connecticut, Delaware, Florida, Georgia, Illinois, Iowa, Kansas, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Rhode Island, South Carolina, South Dakota, Texas, Vermont, Virginia, Wisconsin, Wyoming, District of Columbia, and Puerto Rico. |
Content requirements for notifications | Alabama, California, Florida, Hawaii, Illinois, Iowa, Maryland, Massachusetts, Michigan, Missouri, Montana, New Hampshire, New Mexico, New York, North Carolina, Oregon, Rhode Island, South Carolina, Vermont, Virginia, Washington, West Virginia, Wyoming, and Puerto Rico. |
Notification to state agency required (requirements in some states may depend on minimum number of residents affected by the breach) | Alabama, Alaska, California, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Rhode Island, South Carolina, South Dakota, Texas, Vermont, Virginia, Washington, Wisconsin, and Puerto Rico. |
Credit monitoring required | California, Connecticut, and Delaware. |
Risk of harm | Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming. |
Trends in State Statutory Amendments
Expanded definition of personal information
Generally, the notification obligations of state data breach statutes are triggered when a “breach of security” affects “personal information,” as defined in the statute.
Personal information commonly is defined as an individual’s first name or first initial and last name in combination with an additional data element, such as a Social Security number, driver’s license number, or financial account information with the applicable PIN or access code for same. Recently, however, many states have amended their statute’s definition of “personal information” to include additional data elements, such as biometric and health information and user name or email address and password.
For example, Illinois, Oregon, and Rhode Island have expanded their definition of personal information to require notice when certain forms of health insurance, medical, and/or biometric (e.g., retina and fingerprints) data are compromised. The newly enacted South Dakota law also includes both health and biometric data in its definition of personal information. New Mexico’s new law includes biometric data. The new Alabama law also includes certain kinds of health information.
Moreover, California and Florida had been the only two states to require notice when an individual’s user name or email address and password were compromised. Now, Alabama, Illinois, Nebraska, Nevada, Rhode Island, South Dakota, and Wyoming have joined them in adopting such requirements.
Implementation of reasonable security measures
Designed to prevent data breaches in the first place, and likely to become more prevalent due to concerns over recent large-scale data breaches, at least 15 states have some form of a generally applicable “reasonable safeguards” requirement. This is a requirement that organizations implement reasonable security measures to enhance protection of personal information from unauthorized access, acquisition, use, or disclosure. Such obligations require significant efforts, reaching most, if not all, parts of an organization, remaking data breach response measures into preventive measures.
Massachusetts regulations, considered the benchmark for state data security obligations, go further than a general requirement to have reasonable safeguards. The regulations set out specific safeguards in order for organizations to be in compliance. These include maintaining a written information security program, conducting a risk assessments, ensuring third-party service providers are safeguarding personal information, and encrypting personal information on portable data storage devices. New York and North Carolina are considering updates to their respective laws that would impose similar data security requirements as Massachusetts’.
California law, on the other hand, includes a more general requirement that entities that own or license personal information about California residents implement and maintain reasonable security measures and procedures to protect that information. The recently enacted New Mexico and Alabama laws include similar provisions, and Illinois had amended its law to include such a provision as well. Other states with reasonable-security-measure requirements include: Arkansas, Delaware, Florida, Nevada, Indiana, Maryland, Connecticut, New Jersey, Oregon, Rhode Island, and Utah.
In February 2016, California’s then-Attorney General Kamala Harris issued the California Data Breach Report, which analyzed the data breaches reported to her office from 2012–2015. Perhaps the most consequential part of the Report for businesses is that it established a floor of controls (i.e., compliance with the Center for Internet Security’s Critical Security Controls). A business must implement these controls to be considered to have adopted “reasonable safeguards” to protect personal information.
Takeaways
Today’s nationwide patchwork of state breach notification laws require data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions.
Organizations should consider the following to help them meet the requirements by establishing good baseline policies and practices:
- Develop a written information security program;
- Train employees on data security;
- Conduct regular data security assessments;
- Run tabletop security exercises; and
- Prepare breach notices templates in advance of any breach.
- Please contact your Jackson Lewis attorney to discuss these developments and specific state breach notification laws and reasonable safeguard requirements.
Effective October 29, 2018, New Jersey Enacts Statewide Paid Sick Leave
On May 2, 2018, New Jersey Governor Phil Murphy signed comprehensive statewide paid sick leave into law. The statewide law may be a welcome respite to Garden State employers who have been dealing with a convoluted patchwork of 13 different city sick leave ordinances throughout the state since 2014. That’s because, effective October 29, 2018, the state law will preempt these city ordinances and provide a unified sick leave standard across the state.
Covered Employers and Employees
The Act (NJ Rev. Stat. Sec. 34:11-56a et seq.) applies to all private employers with employees in the state of New Jersey, including temporary help service firms. Public employers already required to provide employees with sick leave pursuant to any other state law or regulation are not covered by the law.
With a few exceptions, the Act covers all employees engaged in service for compensation in the state of New Jersey. Excluded from the Act are construction workers covered by collective bargaining agreements, certain per diem healthcare employees, and public employees who already receive sick leave under other state laws.
Leave Entitlements
Covered employees will be entitled to 1 hour of paid sick leave for every 30 hours worked, up to an annual accrual, use, and carryover maximum of 40 hours. In lieu of the accrual method, employers may also frontload a year’s worth of leave for employees’ use. Employers may impose a 120-day waiting period before new hires use accrued leave.
The New Jersey law has some unique aspects. First, employers may choose the increment in which sick leave is used, provided that the largest increment is the number of hours the employee was scheduled to work during the missed shift. The law also specifically explains how it will apply to temporary help service firms—specifically, earned sick leave will accrue based on an employee’s total time worked on assignment with the temporary help service firm, rather than separately for each client to which the employee is assigned.
The New Jersey law also provides a framework for annual buyback programs for employers who opt to frontload leave.
Reasons for Leave
Following the example set by other state and city sick leave laws, sick leave may be taken for many of the expected purposes—the employee’s own mental or physical health needs; care of a covered family member; and needs related to domestic or sexual violence victim status—as well as some more permissive purposes, including school and work closures related to public health emergencies and attending school-related conferences and events.
Where family members are covered, the interpretation extends well beyond the usual spouse, parent, and child inclusions. Domestic partners, grandparents, and siblings are all included, as well as “any other individual related by blood to the employee or whose close association with the employee is the equivalent of a family relationship.”
Notice and Administration
Employers may require notice of the need for leave—up to 7 calendar days when the need is foreseeable, and as soon as practicable when the need is not foreseeable. Additionally, employees may be required to make a reasonable effort to schedule foreseeable leave in a manner that is not unduly disruptive to the employer’s operation. Employers may also require reasonable documentation of the use of leave for more than 3 consecutive days.
Employers with preexisting leave policies and combined paid time off (PTO) plans (including vacation, personal, and sick days) are not required to modify those policies or provide for additional leave as long as the leave provided under the PTO policy is at least equivalent to the minimum accrual and reasons for use set forth by the Act. Additionally, the Act does not restrict employers from providing more generous leave entitlements and benefits, nor does the Act prohibit employers from adopting leave donation programs.
Further, unless an employer policy or collective bargaining agreement provides otherwise, employees are not entitled to payment of unused earned sick leave upon separation from employment. However, if an employee is reinstated after discharge within 6 months, any unused accrued leave must also be reinstated.
Restrictions
As with many other states’ laws, employers may not require employees who are requesting earned sick leave to search for or find a replacement worker to cover the employee’s time off. Employers are also prohibited from taking retaliatory personnel action or discriminating against an employee because the employee requests or uses earned sick leave.
However, these restrictions do not prevent employers from taking disciplinary action against employees who misuse sick leave for purposes other than those permitted by the law.
Posters and Recordkeeping
Employers will be required to provide notice of employees’ rights under the Act within 30 days of the issuance of a sample notification from the Department of Labor and Workforce Development. Employers must also maintain records of hours worked and earned sick leave taken for a period of 5 years. Employers that fail to maintain records will be presumed to have failed to comply with the law, and applicable penalties will be assessed.
Finally, upon the Act’s effective date, New Jersey counties and municipalities will be prohibited from adopting any ordinance, resolution, law, rule, or regulation regarding earned sick leave. Additionally, the Act will preempt any existing ordinance, resolution, law, rule, or regulation regarding earned sick leave. Thus, the multitude of city sick leave ordinances adopted throughout New Jersey will have no further effect.
California Supreme Court Broadens Definition of Employee in Independent Contractor Analysis
By: Robert M. Pattison and Amelia L Sanchez-Moran, Jackson Lewis