Employer Law Report

Don’t wannacry? Help your IT staff prevent ransomware

I have frequently blogged about human resources departments’ role in preventing data breaches in their organizations and to date have largely focused on training employees to recognize and respond phishing exploits designed to encourage employees to click on email links or attachments that contain malware. See for example here, here and here. But, in what some have been calling the biggest cyberattack ever, the recent “Wannacry” ransomware apparently seeks out computers containing a vulnerability in the Microsoft Windows operating system, which permitted the ransomware to  infect approximately 200,000 computers in 150 countries across the globe. No clicking required.

The tools to create the attack reportedly were developed by and then later stolen from the National Security Agency. Although Microsoft has issued a patch to address the vulnerability and reports indicate that the spread of this version of Wannacry has been stemmed for the time being, this certainly won’t be the last ransomware attack we see.

While any technological steps that organizations can take to reduce their own vulnerabilities in the future go far beyond my understanding, human resources departments can help protect their organizations by creating a cyber-aware culture. In addition to training employees to be suspicious of any external email links and attachments, here are two additional steps that can be taken immediately:

  1. Require and then train the workforce on good cyber hygiene. For instance, require strong passwords that must be changed periodically and constantly remind employees to assist the IT department to apply software patches on all employee workstations by shutting down nightly.
  2. Work with the IT department to eliminate or at least reduce employees’ need to work on personal devices other than through a virtual private network (VPN). Encourage employees who do work from home to use only secure wifi networks and to keep their antivirus and anti-malware software up-to-date.

NLRB panel majority upholds employer right to justify “no recording” policy; denies general counsel summary judgment motion

In a follow up to its Whole Foods Market, Inc. decision, which found unlawful an employer policy prohibiting workplace recordings by employees without prior management approval, an NLRB panel majority in Mercedes Benz U.S. International, Inc. denied the General Counsel’s motion for summary judgment on a similar “no recording” policy. According to the majority, Mercedes was entitled to a hearing, which would provide an opportunity to present evidence regarding its business justifications for the policy, and about whether the policy was communicated or applied in a manner that clearly conveyed an intent to permit protected activity.

Member Pearce dissented, arguing that the employer’s policy which prohibited the use of cameras and video recording devices in the plant without prior authorization, was facially overbroad and did not provide any exceptions for protected concerted activity. As such, according to Member Pearce, the policy tends to impermissibly chill employee expression and therefore was unlawful regardless of the employer’s intent in adopting and implementing the policy and regardless of whether employees actually interpreted the policy as restricting their Section 7 rights.

Continue Reading

Ohio Appellate Court dismisses privacy breach lawsuit against employer

A recently published decision of an Ohio Court of Appeals reminds us that, particularly in this electronic age, employers need to be very careful in the handling of confidential medical information. The decision is also a reminder that sometimes the outcome of a case can depend on the precedent in a particular appellate district.

In Templeton v. Fred. W. Albrecht Grocery Co. the 9th District Court of Appeals (for Summit County, Ohio) the employee responsible for managing workers’ compensation claims for the employer inadvertently sent a psychological report regarding the plaintiff to other employees rather than to the plaintiff’s attorney as she intended. The plaintiff brought suit alleging unauthorized disclosure, negligence and invasion of privacy. In response, the employer filed a motion to dismiss the claims as a matter of law.

The trial court dismissed the unauthorized disclosure and negligence claims at the outset and then, ultimately granted summary judgment as to the invasion of privacy claim. The plaintiff then appealed.

Continue Reading

Work from home case shows importance of job descriptions and interactive dialogue

In a recent “work from home” decision by the U.S. District Court for the Eastern District of Pennsylvania, the court denied Sneaker Villa, Inc.’s, (the employer) motion for summary judgment. Slayton v. Sneaker Villa, Inc. Why is that important? In employment discrimination lawsuits, an employer’s earliest opportunity to have a case dismissed without the cost and risk of a jury trial is with a summary judgment motion. If the motion is denied, the case is headed for trial. The risks go up, the costs go up and, typically, so do the plaintiff’s settlement demands. In this case, the court decided that the question of whether the employer should have allowed work from home as a reasonable accommodation should be decided by a jury. The case is a reminder that an employer can jump too quickly to the conclusion that a request for a work from home assignment cannot be accommodated.

What happened?

The employee, Ms. Slayton, suffered fractured vertebrae and head trauma in a bus accident. After approximately two months of short-term disability leave, Ms. Slaton asked to return to her job as a corporate recruiter with the accommodation of working from home for four weeks, or until her physical therapy was completed. The employer denied the request to work from home and said that Ms. Slayton’s job would have to be filled because of the critical recruiting period that the employer was about to enter. Continue Reading

New Secretary of Labor sworn in

Much has been written recently about the first 100 days of the Trump Administration. Some would argue that little of significance has changed in the employment regulation world. But, the confirmation on April 27, 2017 of new Secretary of Labor R. Alexander Acosta squeaked through the door just before the first 100 days concluded and it could be an initial step towards the sort of employment regulation reform that many in the business community have been expecting.

Secretary Acosta will lead the Department of Labor (DOL), the cabinet department responsible for, among other agencies, the federal Wage and Hour Division (WHD), Occupational Safety and Health Administration (OSHA) and the Office of Federal Contract Compliance Programs (OFCCP). The WHD regulates minimum wage and overtime compliance, including the related exemptions and FMLA compliance. Of course OSHA regulates workplace safety and the OFCCP enforces affirmative action requirements for federal contractors and subcontractors. Clearly, Secretary Acosta will have an opportunity to impact significant areas of employment regulation, though the specific impact remains to be seen. The new Secretary’s early public remarks understandably have been general and focused on broadly-stated objectives to preserve and return jobs. But will the path to that aim include significant changes in existing and proposed employment regulations? Continue Reading

President Trump’s executive order on H-1B visas

President Trump issued yet another executive order addressing immigration issues on Tuesday, April 18, 2017. This order, entitled “Buy American and Hire American,” addresses federal procurement policies and reiterates the established policy to purchase goods manufactured in the United States. The order also addresses the H-1B visa. While it does not change any law, regulation or policy, it comes only one day after USCIS once again announced that 199,000 H-1B petitions were received during the first five business days of April to overwhelm the 85,000 limit on visas for the next fiscal year.

Substantively, the executive order merely orders the federal agencies that administer the H-1B program to enforce all laws related to the H-1B visa, something the federal government is already required to do. In addition, the President has ordered these agencies to examine how the program can be improved to protect American jobs. However, the President clearly intends this executive order to focus attention on the H-1B visa. This was made clear in the “Gaggle[1] published on the White House website earlier the same day. This “Gaggle,” a transcript of a conversation between an anonymous “Senior Administration Official” and reporters aboard Air Force One, was published on the official White House website. It is not clear how a document published on this website is “not for attribution” or aligns with President Trump’s criticism of anonymous sources, but nevertheless, it is a discussion of the executive order and seeks to provide some insight into the thinking behind the order.

Continue Reading

NLRB’s Dish Network decision: A sign of things to come for employer arbitration agreements?

As he tends to remind us on a regular basis, Donald Trump won the presidential election back in November 2016. But that doesn’t mean that National Labor Relations Board (NLRB) policy turns on a dime. The Board has only three members at this time with Member Philip Miscimarra (R) in the role of Acting Chairman still outnumbered by Members Pearce (D) and McFerran (D). With confirmations of even cabinet level nominations still pending, it could be well into 2018 before a full complement of Board Members are in place and the Republicans take the majority.

Although the Board’s recent decision in Dish Network, LLC probably would have yielded the same result with a full Trump Board, Acting Chairman Miscimarra’s concurring opinion likely signals a future relaxing of the Board’s standards for evaluating whether certain employer policies and employment agreements violate employee Section 7 rights under the National Labor Relations Act (NLRA). In Dish Network, the Board concluded that the employer’s mandatory arbitration policy and agreement violated Section 8(a)(1) of the NLRA. Following its jurisprudence from prior cases decided during the Obama Administration, the Board concluded that the arbitration agreement constituted an 8(a)(1) violation because it “specifies in broad terms that it applies to ‘any claim, controversy and/or dispute between them, arising out of and/or in any way related to Employee’s application for employment, employment and/or termination of employment, whenever and wherever brought.’” Continue Reading

Pro se litigant sets off Title VII avalanche: Seventh Circuit holds that Title VII prohibits sexual orientation discrimination

Never underestimate the power of a pro se litigant. That’s one lesson to take away from the Seventh Circuit’s en banc opinion in Hively v. Ivy Tech Community College, which is the first appellate decision to hold that Title VII bars employment discrimination on the basis of a person’s sexual orientation. Because Ivy Tech has stated that it does not plan to seek Supreme Court review (despite a Circuit split on the issue), employers subject to Title VII, particularly in Illinois, Wisconsin and Indiana, should know about this opinion and consider how and whether it may apply to them.

Surprisingly, this momentous decision resulted not from a national impact-litigation strategy but rather from the humble efforts of one pro se litigant. Math teacher Kimberly Hively filed a form complaint in federal court that alleged she was denied full-time teaching positions and promotions based on her sexual orientation, and sought damages based on Title VII and 42 U.S.C. § 1981. Ivy Tech Community College moved to dismiss and the Northern District of Indiana granted the motion. Undeterred, Ms. Hively retained advocacy group Lambda Legal to prosecute an appeal. Although she initially lost in a now-vacated opinion filed by a Seventh Circuit panel, Ms. Hively successfully sought reconsideration by the en banc Seventh Circuit with the support of amici EEOC and five Members of Congress, among others. The full Court voted 8-3 in favor of Ms. Hively and issued four opinions.

Continue Reading

#Justiceforbradswife: Responding to viral social media

bradswifeThough you may find it hard to believe, there are some things that southern comfort food and a glass of sweet tea just can’t smooth over. Restaurant chain, Cracker Barrel, is finding this out the hard way this week as it draws the ire of the public after Bradley Reid Byrd, the husband of a former Cracker Barrel employee posted one simple question on Cracker Barrel’s Facebook page on Feb. 27, 2017: “Why did you fire my wife?”

The post went largely unnoticed until March 22, 2017 when comedian Amiri King posted the screen grab (above) to his Facebook page and the ordeal went viral.

Continue Reading

Boeing Data Breach is yet another illustration of need for employee education and training

In November 2016, a Boeing employee experiencing difficulty formatting an Excel spreadsheet. Not realizing that hidden columns included birth dates and social security numbers for 36,000 Boeing employees, he emailed the spreadsheet to his wife, who was not a Boeing employee, so she could help. This seemingly innocent act prompted Boeing to launch an investigation and notify those employees and officials in four states of a data breach.

You see, data breaches are not always caused by Russian hacks or other cyber-criminals. Sometimes it is the most innocuous action taken by the most well-meaning of employees. As a result, Boeing had to investigate whether the data went any further than the employee’s wife and to make sure it was deleted from her computer. Luckily for Boeing, it seems that the damage was quite limited and the data was not further compromised after reaching the employee’s spouse. Nevertheless, Boeing is notifying 36,000 employees in four states of this incident as well as state officials in each of those states. Finally, Boeing is offering free credit monitoring to the affected employees.

Simple employee education and training can help avoid these unfortunate incidents from occurring. For instance, whoever sent the spreadsheet to the employee in question should have known to label the document as sensitive and, if the technology was available, could have prevented the document from being copied, printed or forwarded. Finally, the employee in question should have been trained not to send sensitive information to personal email addresses.

LexBlog