|
Archive for March, 2010
Monday, March 29th, 2010
The Massachusetts Data Privacy Act (201 CMR 17), now recently revised,??went into effect March 1, 2010.?? It??applies to many businesses in a variety of industries.?? The law does not merely apply to retailers, financial institutions, or other companies whose day-to-day operations involve the gathering and sharing of personal information.???? Rather, it applies generally to those businesses that ???own or license??? personal information about Massachusetts residents.?? ???Personal information??? includes ???a Massachusetts resident???s first name and last name or first initial and last name in combination with??? any of the following: Social Security number, driver???s license number or state-issued identification card number, or financial account number, or credit or debit card number.?? Therefore, if you have any employees, receive payments from individuals (whether by check or credit card), or send out 1099s, your business owns or licenses personal information and, thus, must comply with the law.
Compliance with the law is much more straightforward and less burdensome than its language might suggest.?? The law requires businesses to ???develop, implement, and maintain a comprehensive information security program??? (???CISP???) that ???contains administrative, technical, and physical safeguards.????? However, it takes a risk-based approach by allowing businesses???in implementing these safeguards???to account for their ???size, scope and type of business,??? ???the amount of resources available,??? ???the amount of stored data,??? and ???the need for security and confidentiality of both consumer and employee information.???
In addition, the law contains other provisions that make compliance less demanding.?? The definition of ???encrypted??? is general and neutral and merely refers to ???the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.??????? Moreover, the law states that the minimum requirements for the computer security system included in the CISP must be applied only ???to the extent technically feasible.????? In other words, if there is a reasonable, technological means to develop and implement this computer security system, that reasonable means must be used.?? Businesses must also ???take reasonable steps to select and retain??? third-party service providers capable of maintaining security measures compliant with the law.?? Thus, with respect to development and implementation, the law places a significant amount of discretion with businesses and avoids a one-size-fits-all approach.
The law is much more specific, however, with respect to the CISP.?? When drafting the CISP, businesses should rely on their attorneys.?? Before drafting it, however, businesses should make certain determinations that will help them identify the specific information they must include in the CISP.?? They must identify where personal information comes from, where it is stored, who uses it, and how it is used.?? They must also identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personal information.?? They must assess the likelihood and potential damage of these threats.?? Before deciding on any changes to company policy, they should evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks.?? Finally, they should devise a plan to eliminate or, at worst, reduce those risks.
The CISP itself should set forth its objective and its purpose and define ???personal information.????? It should identify what kind of personal information it owns or handles, how it uses that personal information, and how it protects the information from internal and external threats.?? In particular, the CISP???s description of how the business protects personal information from threats should include several critical elements:
(1) It must designate an information security manager.?? This person will initially implement the CISP; train employees; test the CISP???s safeguards; evaluate the ability of each of the business???s third party service providers to protect the personal information to which the business has permitted them access and take reasonable steps to ensure that those third party service providers are applying appropriate security measures to personal information; review the scope of the security measures in the CISP at least annually, or whenever there is a material change in business practices that may implicate the security or integrity of records containing personal information; and conduct an annual training session for all owners, managers, employees, and independent contractors, including temporary and contract employees who have access to personal information on the elements of the CISP.?? Choosing such a point person will streamline and facilitate implementation of the CISP and compliance with the law.
(2) The CISP must describe how the business ensures that its employees follow the CISP.?? This should involve re-training of employees, training new employees, amendment of employee contracts (where applicable), annual refresher training, signed written agreements to follow the CISP, and an understanding that employees who fail to follow the CISP will be warned and/or terminated.
(3) It should limit the personal information acquired to an amount that is ???reasonably necessary??? to accomplish the business???s objectives.
(4) The CISP must limit access to records containing personal information to those persons reasonably required to know such information in order to accomplish the business???s purpose or to comply with other state or federal regulations.
(5) It must require that all security measures be reviewed at least annually, or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
(6) It should encourage employees to report any suspicious or unauthorized use of personal information.
(7) It must explain the procedure for handling security breaches, including a mandatory post-incident review of events and actions taken and a determination about whether any changes in security practices are required.
(8) It must restrict access to electronically stored personal information to those employees that have a unique log-in ID.?? Re-log-in should be required when a computer has been inactive for more than a few minutes.
(9) It must provide for the protection of paper files containing personal information, especially them they are used by employees, and it must require that, at the end of the day, all files and other records containing personal information be secured in a manner that is consistent with the CISP???s rules for protecting the security of personal information.
(10) It must provide proper methods for the disposition or destruction of paper or electronic records containing personal information.
(11) It must devise a policy and procedure for dealing with visitors and restricting visitor access to files containing personal information.
(12) It must require reasonably up-to-date firewall protection and operating system security patches, both of which must be designed to maintain the integrity of the personal information installed on all systems processing personal information.
(13) It must require reasonably up-to-date versions of system security agent software, including malware protection, and reasonably up-to- date patches and virus definitions, installed on all systems processing personal information.
(14) It must require the encryption of all personal information stored on laptops or other portable devices and all records and files transmitted across public networks or wirelessly.
(15) It must require that all computer systems must be monitored for unauthorized use of or access to personal information.
(16) It must contain a detailed password and user-authentication policy.?? The law specifically addresses passwords and states that they must be in such a format so that they are not compromised.?? In other words, passwords should contain a certain number of characters, including a combination of numbers, letters, and symbols, and must be difficult to crack.?? In addition, passwords should be changed periodically.?? Electronic access via passwords after multiple unsuccessful attempts to gain access must be blocked.
(17) It must describe how it protects and secures computer backups.
(18) It must include a section on third-party vendor compliance that explains how and in what manner the business shares personal information with third-party vendors and how it ensures that vendors comply with the CISP.
After finalizing the CISP, businesses must train their employees about the importance of protecting personal information and the security of the computer network.?? Most important, businesses must determine how they are going to accomplish these tasks and develop a reasonable secure network.?? They must decide if the internal resources they have are sufficient or if external help is necessary.
Once the CISP is finalized and implemented, businesses should monitor and update the effectiveness of the security measures and safeguards in place.
Robert Fojo, the newest member of the Employment Counseling and Litigation Practice Group, contributed this posting.
Tags: CISP, data management, data protection, employee protection, employee rights, Massachusetts Data Privacy Act
Posted in Employment Law/Legislation, Industry News | No Comments »
Wednesday, March 24th, 2010
Although it may appear to be yet another act by the federal government to control daily life, this is one intrusion that has been supported by the hospitality industry for some time. Local communities, such as New York, Philadelphia, and states such as Massachusetts, have begun to enact menu labeling laws requiring certain restaurant chains to post various kinds of nutritional information prominently on their menus. Some require only calorie counts while others require information regarding trans-fats, sodium, carbohydrates and so on. Other states, such as Connecticut, have rejected such laws altogether, although in that case only by a recent governor’s veto. Faced with a patchwork of varying and complicated regulations, the industry supported federal regulation in this area so that businesses can deal with a single, consistent set of rules throughout the country.
And the rules are fairly straight forward, for now. The new healthcare reform law calls upon the FDA to develop new regulations that will set forth national standards for restaurants to post the calories of the various food items offered on the menu. The anticipated regulations will govern all restaurants with 20 or more locations. Once issued, these regulations will preempt local and state laws in the field and create an environment less likely to ensnare an operator by surprise.
That said, the industry still needs to deal with those plaintiffs lawyers. Class actions have been brought against restaurants who have sought to market “healthier options” on the grounds that such marketing campaigns and associated menu explanations fail to disclose the full nutritional story on the plate. Whether the federal labeling law will protect restuarants the way the surgeon general’s warning protected tobacco companies for years remains to be seen, but the Supreme Court has ruled that labeling laws do not necessarily preempt false advertising and fraud claims.
What does all this mean? It means restaurants will need to follow the FDA process closely these next several months and, in the meantime, continue to watch for what local law requires. In all cases, menus and other marketing materials must not serve to mislead, and any representations should first be vetted and confirmed before they are circulated to the public.
NKMS has presented on the patchwork of regulations concerning menu labeling across the country as well as on the class actions that have been brought asserting these claims these last two years. Be sure to watch this page and catch one of our upcoming webinars to keep up with this developing trend.
Tags: FDA, Food and Drug Administration, health care, health care bill, health care bill details, healthcare, healthcare reform, healthy living, Menu Labeling, menu labeling laws, regulations, restaurant, restaurants
Posted in Employment Law/Legislation, Industry News, Menu Labeling | No Comments »
Monday, March 22nd, 2010
Last night, the House of Representatives passed the Senate???s health care bill (???Senate bill???) and a reconciliation ???fix it??? bill (the ???reconciliation bill???) that makes certain changes to the Senate bill.?? Regardless what you think about health care, the landscape this morning is much different than before, and it is important for businesses and individuals to take note of the key provisions in both bills.
There are still some legislative steps that must be completed before either bill becomes law.?? The President must first sign the Senate bill in order for it to become law.?? The signing ceremony is scheduled for tomorrow.????Then the Senate can take up the reconciliation bill.?? It is expected that the Senate will pass the reconciliation bill, which will alter the main Senate bill by eliminating certain controversial provisions in it.?? Together, however, they constitute sweeping reform of the health care industry.?? Beginning in 2014, coverage will begin to expand to the estimated 32 million uninsured Americans, and by 2019, it is estimated that 95% of eligible Americans would have coverage.
Here are the key provisions of both bills and when most of them take effect:
Coverage Mandates
In 2014, individuals will be required to purchase health insurance.?? Those who fail to purchase coverage will be fined $325 in 2015, $695 in 2016, and as much as 2.5% of their income in 2016 if the total is greater than the flat payment.?? There is an exemption for low-income people.
In 2014, employers with 50 or more workers who do not offer health insurance coverage will be fined $2,000 per full-time employee.?? Companies with 50 or fewer workers are exempt from the requirement.?? Part-time workers are included in the calculations: two part-timer workers equal one full-time worker.
Insurance Market Reform
This year, insurers will be barred from placing lifetime coverage limits on policies, denying coverage to children based on pre-existing conditions, and canceling policies due to illnesses (i.e., rescission).?? Insurers must also disclose their rate increases.
Also, beginning this year, parents??? health care policies will cover dependent children until age 26.
Beginning in 2011, insurers are required to spend at least 85 cents of every premium dollar on medical care in small group markets and 80 cents in large group markets. ??Medicare Advantage insurers are also required to spend at least 85% of revenues on medical care.
Beginning in 2014, insurers will be barred from excluding anyone for pre-existing medical conditions or charging them more.
Also, beginning in 2014, small businesses and individuals without employer-sponsored coverage can shop for health insurance plans through new state-based purchasing pools called ???exchanges.????? (???Small businesses??? are defined as those with no more than 100 employees, but states have the option of limiting exchanges to companies with 50 or fewer employees through 2016. ??Companies that grow beyond the size limit will also be grandfathered in.)?? The plans offered on the exchanges will have to meet certain minimum benefit requirements.?? Until these exchanges are available, there will be a temporary insurance program for the uninsured.
In addition, until the exchanges are available, businesses with 10 or fewer full-time-equivalent employees earning less than $25,000 a year on average will be eligible for a tax credit of 35% of health insurance costs. (Companies with between 11 and 25 workers and an average wage of up to $50,000 are eligible for partial credits.)?? The tax credit will remain in place and increase to 50% of costs for the first two years a business purchases insurance through its state exchange.
Taxes
Beginning in 2018, there will be a 40% excise tax on high-cost health insurance plans, otherwise known as ???Cadillac plans??? (plans costing $10,200 for individuals and $27,500 for family coverage). ??A higher threshold is allowed for plans covering mostly women, older workers, retirees, and those in high-risk professions.
In 2013, payroll taxes for Medicare (the government health insurance plan for the elderly and disabled) will increase to 2.35% (from the current 1.45%) for individuals earning $200,000 or more and for couples earning $250,000 or more.
The new Medicare tax will also apply to ???unearned income??? (i.e., investment income) for those high-income groups as an additional 3.8% surtax.?? Specifically, it will apply to income from interest, rent, royalties, and passive S-corporation and partnership profits for families making more than $250,000 annually and singles making more than $200,000.?? This tax is in addition to the current tax rate on such income.?? It will also likely apply to capital gains.
Beginning in 2013, individuals under 65 cannot deduct medical expenses until they exceed 10% of income (up from the current threshold of 7.5%).?? Retirees, however, will keep the lower threshold.
Beginning in 2011, there will be new restrictions on what can be purchased using special savings accounts funded with pre-tax dollars (including health savings accounts).?? Improper withdrawals from the accounts will incur a 20% tax.?? In addition, there is a new limit of $2,500 on what people can contribute to employer-sponsored flexible spending accounts (another type of account funded with pre-tax dollars that can be used to pay for medicines, co-payments, and other expenses).?? Before this cap, employers set their own limits, typically between $3,000 and $5,000.
Beginning in 2013, there will be fees on medical device manufacturers, insurance providers, and brand-name pharmaceuticals.
Insurers will also be denied deductions for executive pay over $500,000.?? (Under current law, businesses can deduct up to $1 million a year in compensation for executives.)
Finally, beginning this year, there will be a 10% tax on indoor tanning services that use ultraviolet lamps.
Federal Subsidies
Beginning in 2014, federal subsidies will be provided to help people with incomes of up to 400% of the poverty level (approximately $88,000 per year) purchase health insurance on the exchange. ??Those subsidies will be higher for lower income people.
Medicaid Expansion
Beginning in 2014, Medicaid (the government health insurance program for the poor) will be expanded to everyone with incomes of up to 133% of the poverty level.?? That equates to $10,830 for an individual and $29,327 for a family of four. ??(Many states have eligibility requirements below those levels.)
The reconciliation bill eliminates a special deal that would have provided more money to Nebraska to cover costs of increased Medicaid coverage.
Medicare
In 2011, payments to insurers that provide coverage to Medicare patients will be frozen.?? The law begins reducing this subsidy in 2012.
Effective immediately, the law begins to close the gap in drug coverage for Medicare beneficiaries (known as the ???donut hole???).?? Those who enter the coverage gap in 2010 will receive a $250 rebate. ??In 2011, they will receive a 50% discount on brand-name drugs.?? When the gap is completely eliminated in 2020, seniors will still be responsible for 25% of the cost of their medications until Medicare’s catastrophic coverage kicks in.
Student Loans
The law will also eliminate a $60 billion program that supports private student loans with federal subsidies, effectively eliminating private-sector student loan lending, and replace it with government lending to students.
Tags: health care, health care bill, health care bill details, health care bill provisions, health care bill take effect, healthcare
Posted in Employment Law/Legislation, Health & Safety, Industry News | No Comments »
Friday, March 12th, 2010
Not by cursory, mandatory “diversity training,” says Elizabeth Levy Paluck of Princeton University as reported in the Boston Globe earlier this week. According to her report, diversity training in the work place has not improved diversity or changed the work place in any measurable manner. In fact, such training can have a backlash effect depending on how it is administered.
But that “depending” is a big qualifier that in some ways sets up a straw man that can be easily knocked down by those who wish to engage in best practices that can improve not only diversity but also the morale of a company’s work force.????A properly administered diversity action plan can??make a workforce??more productive and, in the end, more profitable. The Globe report discusses how mandatory training geared towards avoidance of legal claims does not serve to change attitudes in a positive manner. To some extent, the report states a mere truism, as a list of “thou shalt nots” without more typically??does not create any positive motivation to the right thing. Rather, training focussed on team work and values coupled with a program for hiring, mentoring, promoting and monitoring, can serve to improve diversity, increase your talent pool, and strengthen your team and your business.
In other words, do diversity like you mean it, not because Big Brother tells you. Like anything else, success in diversity requires a plan, hard work and diligence. An annual 60 minute training won’t do it. NKMS has published frequently on this topic, and we have often conducted corporate training that focusses on “Respect, Teamwork and Common Sense.” It’s good to see the academics agree with the approach we have taken through the years.
Chris Vrountas, Chair of the Employment Counseling and Litigation Group, contributed this posting.
Tags: Boston Globe, Diversity, Diversity Training
Posted in Diversity, Industry News | No Comments »
|
