Header graphic for print

Duff on Hospitality Law

New Reports Offer Key Insights into Data Breach Patterns and Costs – Hospitality Industry Remains a Primary Target

Posted in Data Privacy

Security concept: blue opened padlock on digital backgroundBenjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer’s D.C. office, shares key points from two significant survey reports analyzing trends in data security breaches during 2014 that were released this week; one from Verizon, and the other from IBM and the Poneman Institute.  It should come as no surprise to anyone that once again, the hospitality industry is featured prominently in both reports.  Thank you, Ben! – Greg

The Verizon report studies in depth the industry sectors most frequently targeted and affected, the nature of current threats, and causes and consequences of actual data breaches. The Poneman report focuses on costs associated with successful attacks. Both are worth a close read. Together, the reports starkly illustrate the increasing pervasiveness, complexity and costs associated with preventing and responding to data breaches. The good news is that they also provide guidance on effective preventive and cost control measures.

Here are some of our key takeaways and observations from these fascinating reports:

No Organization or Business is Immune from Attack, but Some are More Frequent Targets Than Others

  • In terms of volume of security incidents by sector, the top ten (in order) were government entities, information, financial services, manufacturing, retail, hospitality, professional services, health care, and other services.
  • Actual data breaches (attack succeeds; data lost or compromised) occurred most frequently (in order, by sector) in: government, financial services, manufacturing, hospitality, retail, professional services, health care, information, education, and other services.
  • In certain industry sectors, cyber criminals more frequently breach smaller businesses. Smaller hospitality businesses, by far and away, ranked number one, with retail second. Financial services remains the number one large business target, followed by large retail, and health care.
  • Certain industry sectors are more frequent targets of certain types of threats. For example, the hospitality industry is particularly susceptible to Point of Sale (POS) intrusions. Verizon reports that 91% of data breaches in that sector were POS intrusions. The POS credit card systems used in that industry have of late been plagued by a new breed of malware (including POSeidon) that burrows deep into the system and “scrapes” card data momentarily stored in RAM. “Insider” threats (errors and abuse of access privileges) are more prevalent in health care than other industries. Financial institutions are particularly vulnerable to “crimeware” and web application hacks. Businesses should calibrate their risk management approaches to the specific types of threats they face.

Dealing With a Data Breach is Expensive — the More Records Compromised, the More it Costs

  • Poneman predicts that the average per record mean cost of a data breach will be $201 per record, an increase over the past two years. Such costs include lost customers, and expenses of dealing with the breach. Relative costs depend on the scale of the breach.  Verizon predicts that breaches of 1,000 records will result in losses between $52,000 and $87,000, and that breaches of 10 million records will result in losses of between $2.1 to $5.2 million.
  • Certain industries have higher data breach costs than others, with regulated industries having a higher per capita record costs than non-regulated businesses. The highest relative per capita data breach costs (in order) are in the health care, transportation, education, energy and financial sectors.

The Most Frequent Ways Cybercriminals Gain Access is Through Dumb Stuff We Do or Don’t Do

  • In order to steal or compromise sensitive data, cybercriminals have to get at it. The most common way they breach the castle continues to be “phishing” and “spearphishing.” “Phishing” involves baiting a system user to respond to an official-looking e-mail asking for a reply “verifying” a password or account number. “Spearphishing” is a variation where the e-mail also resembles a routine communication from a trusted sender, but invites the recipient to click on a web link or open an attachment whose payload is malware The stats are sobering. Fully 23% of e-mail recipients open phishing e-mails, and 11% click on the malware payload. 50% of the time, this happens within an hour after the “seafood” e-mail arrives. A phisher who sends out this kind of chum generally only has to wait 1.22 seconds before some sucker somewhere takes the bait.
  • Another prevalent way cybercriminals get at sensitive data is an organization’s failure to install “patches” for known security vulnerabilities. The stats here are also depressing. In 2014, half of exploited vulnerabilities were defeated within less than a month after becoming known. But in 99% of the cases where a known vulnerability was exploited, a patch had been available for a year or more! Due to failure to implement available fixes, hackers continue to be able to exploit well-known “oldie but goodie” vulnerabilities.
  • Plain old human error is another major inroad for hackers. 60% of incidents were caused by internal staff sending sensitive information to the wrong person, putting sensitive data on publicly accessible servers, or disposing of sensitive medical or personal data in insecure ways. Also, people forget or lose mobile devices containing sensitive data in an insecure environment all too frequently.
  • While technological countermeasures are necessary, a focus on human factors – the loose nut behind the keyboard – is at least as important. Training and awareness, and practices designed to mitigate our natural tendencies to make the type of mistakes that frequently give hackers keys to the castle, are a key part of any data breach risk management strategy.

Certain Specific Measures Can Reduce the Cost of a Data Breach When it Occurs

  • The Poneman report documents that certain types of expenditures can reduce the overall cost of data breach. Having in place before the breach a strong security posture, a Chief Information Security Officer with responsibility for data protection, and a defined incident response plan all reduce the per capita record cost of a breach. It makes sense that planning and investing resources before an incident occurs can save money when it happens.

If you have any questions about these reports, or for more information on data security, please feel free to contact me or Ben, directly.

Keeping Your Undocumented Employees Authorized for Employment

Posted in Employment Law

Employment. Business Concept.In today’s post, Gregg Rodgers, Chair of GSB’s Immigration Practice Group and member of our Hospitality, Travel & Tourism practice team, provides us with the latest updates regarding the federal processes that authorize employment for certain undocumented persons. Thank you, Gregg! – Greg

In my previous blog post, I discussed how recent Presidential Executive Actions had made it possible for certain people who reside in the U.S. without proper documentation to be assigned social security numbers and issued Employment Authorization Documents (EADs).  Today’s post provides important information and updates to help an undocumented individual get and retain legal employment authorization. (An employer should never knowingly hire or continue to employ an unauthorized worker.) Most importantly, you will see that it has become extremely important to apply for renewal of an EAD earlier than the government had previously suggested. Getting the word out to employees affected by this may help keep them on your payroll.

Deferred Action for Childhood Arrivals (DACA)

You have probably heard about the President’s Executive Action on June 15, 2012, in which he authorized a procedure for many undocumented people in the U.S. to become authorized for employment.  Individuals who demonstrate that they meet the guidelines may request consideration of “Deferred Action for Childhood Arrivals” (DACA) for a period of two years, subject to renewal for a period of two years, and may be eligible for employment authorization. By December 31, 2014, 638,897 people who came to the United States as children and who met the guidelines, had been approved for “deferred action” by the government.

DACA has made it possible for hundreds of thousands of undocumented people to become legally employed in the US for the first time, or to get employment authorization that they could present to their current employer to update Form I-9 information.

Many people have already obtained a two-year EAD and have applied for or are now ready to apply for renewal. Employers should know that, for this group of individuals, employment can occur only after the presentation of a valid EAD and cannot continue past its expiration date unless the employee presents another EAD or other documentation from the List of Acceptable Documents.  Having applied for renewal of an EAD or even presenting proof of the approval of an EAD that has not yet been received is not enough to allow continued employment.

But renewing an EAD has become a challenge. Historically, the government discouraged the filing of an Application for renewal of an EAD more than 120 days before its expiration. Most people applied between that date and 90 days before its expiration because, by regulation, the government has 90 days from the date of receipt of the application to adjudicate it, or it is required to grant an EAD for a period not to exceed 240 days. Unfortunately, the government has not met its required adjudication or issuance obligations in most cases over the past several months, resulting in the inability to confirm employment authorization and the subsequent termination of employment for those whose EADs have been delayed. Some employers have treated the termination as temporary, allowing a return to employment for those affected by these delays after the new EAD is presented.

Just this month, the government acknowledged the problem and began to encourage applicants to submit renewal requests 150 to 120 days before the current period of DACA and employment authorization is set to expire.   Employers are encouraged to notify DACA-authorized employees of this procedural change.

Implementation of Executive Action of November 20, 2014 Delayed

My January blog post also referenced the President’s Executive Action of November 20, 2014, which had two important issues relevant to this post. However, a temporary injunction was issued on February 16, 2015, that prevents the government from accepting requests as noted below. People interested in understanding more about these issues can read more and register with the federal government to get email updates regarding the status of this important program.

Expanded DACA

The 2014 Executive Action expanded DACA in several ways. If the injunction is lifted, it could apply to applicants of any age who meet the other requirements (whereas DACA applies to only those under the age of 31 on June 15, 2012) and employment authorization would be expanded from two years to three years.

Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA)

Another significant part of the now-enjoined Executive Action of November 20, 2014 includes authorization for parents of U.S. citizens and lawful permanent residents to request deferred action and employment authorization for three years, provided that they have lived in the United States continuously since January 1, 2010, and pass required background checks. This is known as “Deferred Action for Parents of Americans and Lawful Permanent Residents,” or DAPA.

Where Do We Go From Here?

Maintaining a loyal and stable workforce is important. I fully expect that expanded DACA and DAPA will be authorized in the relatively near future. It can be a good idea to monitor the litigation because, if the injunction is lifted, the government can be expected to move quickly to begin accepting applications for expanded DACA and DAPA. In the meantime, you may want to urge anyone who already has a DACA-based EAD to apply for renewal within the newly announced 150 – 120 day window as the best way to assure the likelihood of continuous employment authorization for them.

If you have any questions about Form I-9 compliance, please call me or Gregg.

Are You a Non-Union Shop? Why You Should Care About the NLRB’s Latest Report

Posted in Employment Law

Nancy Cooper, member of our Labor and Employment Group and Hospitality, Travel and Tourism practice team, discusses the NLRB’s March 2015 report and the importance of reviewing and updating your employee handbook. Thank you for today’s post, Nancy! – Greg

The National Labor Relations BEmployee Handbook and Formsoard (NLRB or the Board) oversees all things union under the National Labor Relations Act (NLRA). Congress enacted the NLRA in 1935 to protect the rights of employees and employers, to encourage collective bargaining, and to curtail certain private sector labor and management practices, which can harm the general welfare of workers, businesses and the U.S. economy. Even though the NLRB is focused on labor management practices with the unionized workplace, it also has jurisdiction over private sector employers who do not have a union. The Board just has not often exercised that authority – but that has increasingly changed that over the last ten years or so.

The NLRA gives employees the right to act together to try and improve pay and working conditions (“protected, concerted activity”), whether the employees are union or non-union.  These rights are also commonly referred to as Section 7 rights because they are outlined in Section 7 of the NLRA. The NLRB has become more active in enforcing these rights.  Generally, the Board looks to see if actions taken are of a concerted (more than one person) nature intended to address issues with respect to employees’ terms and conditions of employment. Sometimes, though the issue is not the action taken, but the rules that govern the employees’ behavior, such as those in your employee handbook.

On March 18, 2015 the General Counsel of the NLRB issued a report regarding what language in certain employer policies would be considered lawful, and what would not.  When reviewing such rules, the NLRB looks at whether or not the language would act to chill employees from exercising their right to engage in a protected, concerted activity. In other words, they looked at each policy before them to determine if the average reasonable employee would likely read the policy to mean that the employee was not allowed to talk about the terms and conditions of their employment with others, whether that be outside people or other employees. If it could be read to mean that, the policy was unlawful.

So what sorts of things could be read to restrict employees from talking to each other? Just about anything from social media policies to confidential information policies to anti-harassment rules and anywhere in between.  Above all, the context in which a phrase was used seemed to make a difference if a phrase was a close call.  So it is important, as you review your handbook, to not just focus on the words themselves but also the context in which they are used.  Additionally, it is important to remember that a simple disclaimer such as, “Nothing in this policy is meant to prevent employees from engaging (or declining to engage) in discussions about their terms and conditions of employment” may be helpful, but they are not an automatic guarantee that an otherwise unlawful policy will now be lawful.

Some examples of phrases the NLRB found to be problematic (and why) are:

Confidentiality:

  • Do not discuss customer or employee information outside of work, including phone numbers and addresses. (Overbroad reference to “employee information” and the blanket ban on discussion may lead an employee to think they could not discuss the terms and conditions of employment, including the contact information of other employees so that they could all talk.)
  • Discuss work matters only with other Company employees who have a specific business reason to know or have access to such information. Do not discuss work matters in public places. (Broad restrictions that do not clarify they are not meant to impinge on an employee’s rights under the NLRA so an employee could reasonably understand it to encompass wages, benefits and other terms and conditions of employment.)
  • Confidential Information is: “All information in which its (sic) loss, undue use or unauthorized disclosure could adversely affect the Company’s interests, image and reputation or compromise personal and private information of its members.” (Employees have a right to share information that supports their complaints about wages and terms and conditions of employment, and employees may believe they cannot disclose that kind of information because it might adversely affect the Company’s interest, image or reputation.)

Employee Conduct Toward Employer:

  •  Be respectful to the Company, other employees, customers, partners and competitors. (Overbroad and employees could reasonably construe them to ban protected criticism or protests regarding their supervisors, management or the Company in general.)
  • No defamatory, libelous, slanderous or discriminatory comments about the Company, its customers, and/or competitors, its employees or management. (Overbroad and employees could reasonably construe them to ban protected criticism or protests regarding their supervisors, management or the Company in general.)
  • It is important that employees practice caution and discretion when posting content on social media that could affect the Company’s business operation or reputation. (Overbroad because it could reasonably be read to require an employee to refrain from criticizing the employer in public.)

Employee Conduct Toward Another Employee:

  • Do not make insulting embarrassing, hurtful or abusive comments about other company employees online and avoid the use of offensive, derogatory or prejudicial comments. (Overbroad because debate about unionization and other protected concerted activity is often contentious and controversial. Employees could reasonably read such a rule to mean they are limited in their ability to be honest in discussions regarding these subjects.)

There are many more examples of problematic employer rules on various topics in the report. You are encouraged to look again at your employee handbook and employer rules.  If you have any questions, or for more information regarding this report, please feel free to contact me or Nancy. We will be glad to help bring your employer rules back within the safety zone – at least until the next General Counsel report is issued.

Federal Court Denies Attempt to Halt Franchise Provision of Seattle’s Minimum Wage Ordinance

Posted in Employment Law

Victoria Slade, member of our Labor and Employment Group, brings us the latest ruling on Seattle’s Minimum Wage Ordinance.  Thank you, Vicky! – Greg

monimum wage increase aheadIn a 43-page ruling issued late Tuesday, Federal Judge Richard Jones denied the International Franchise Association’s (“IFA”) bid to prevent Seattle’s Minimum Wage Ordinance’s franchise provision from going into effect as written. As a result, starting April 1, most franchisees in Seattle will be treated as “large” employers under the Ordinance, meaning they must pay the higher initial rate of $11 per hour. They also will scale up to the $15 minimum wage in just three years, much more rapidly than small businesses. While this is not the end of IFA’s case attacking the franchise provision, it is a big setback and a strong indication that IFA is unlikely to ultimately be successful.

IFA had sought a preliminary injunction, challenging the Ordinance’s definition of “large” employers as including all franchisees that are part of a chain with more than 500 employees anywhere in the nation. It argued that franchisees are more like small businesses, because individual locations are separately owned and have far fewer than 500 employees. It argued that, by lumping small franchise owners together with large businesses, Seattle was putting franchisees at a competitive disadvantage. It further alleged the City had intentionally discriminated against franchisees because of its preference for local businesses. This discrimination, if proved, would be a problem because states and cities are not allowed to enact legislation that is intended to or has the effect of favoring local businesses over out-of-state businesses. IFA’s motion, if granted, would have put a temporary hold on the franchise portion of the Ordinance and required that franchisees with fewer than 500 employees be treated as small businesses until the case was fully resolved, which could take until the end of this year. The Court heard three hours of oral argument on the motion last week.

The Court’s Order rejected each of IFA’s legal theories. In sum, the Court found:

  • The Ordinance is not discriminatory as written because it applies equally to franchisees whose corporate headquarters are in Seattle.
  • The Ordinance does not have a discriminatory purpose. The stated purpose of the minimum wage hike is to reduce income inequality and promote the general welfare, health, and prosperity of Seattle workers, and the rationale for differentiating between small and large businesses is the recognition that large businesses will have less “difficulty accommodating the increased costs.” Although IFA argued that comments by a member of the Advisory Committee to the Mayor regarding “extractive national chains” revealed an ulterior motive to harm multi-state businesses, the Court gave these comments little weight. It reasoned that this was a “politically charged” issue with impassioned debate, “fervent remarks,” and lobbying on both sides, making it improper to focus so heavily on a comment by one member of the public. It also rejected IFA’s argument regarding statements by members of the City Council, reasoning that the statements, even if they were discriminatory, were “insufficient to override the entire City Council’s formal statements of purpose in the Ordinance itself.”
  • The Ordinance does not have a discriminatory effect on franchisees. To invalidate the franchise provision under this argument, IFA had to prove the Ordinance would harm franchisees so much that the ultimate effect would be that local goods would have a larger share of the market than goods that come from out of the state. The Court found IFA had only argued potential, rather than actual, harm to franchisees and refused to “speculate or to infer discriminatory effect without substantial proof.” Although IFA had argued that franchisees would be forced to close up shop or that new franchisees would not open in Seattle, there was insufficient proof of this. Moreover, the Court noted, there was some evidence that franchisees would not be harmed because they could draw upon the “greater financial resources” of their franchisors to support them during times of business stress. Even if the court did assume there would be some negative effect on franchisees from the law, this burden would not override the local benefit from assisting low wage workers, and, in any event, the court stated, “it is not the court’s place to second guess the reasoned judgments of the lawmakers who studied and analyzed this issue as part of an involved legislative process.”
  • There was no equal protection violation because it was rational for the City to believe franchisees would be able to tolerate the increased wage better than small independent businesses. The court pointed to economic benefits from the franchise relationship, such as national advertising, valuable and well-known trademarks, reduced cost for supplies and raw materials, training, and a network of other franchisees who provide valuable business advice. The Court also pointed out various benefits that individual plaintiff franchisees had acknowledged, such as one Holiday Inn franchisee’s use of a large on-line reservation system and access to a loyalty reward system with 74 million members worldwide.
  • The Court also rejected IFA’s other arguments, including its First Amendment claim, its argument that the Ordinance was preempted by federal law on copyrights (the Lanham Act) or health plans (ERISA), and its claim under the Washington State Constitution’s Privileges and Immunities clause. For each, the reasoning was essentially that these theories, while in some cases “novel and creative,” were not well-supported under the law and were otherwise unpersuasive, given the court’s reasoning on some of the previous claims.

Overall, the Court found IFA did not prove it was likely to win on any of its arguments. Although it was “sympathetic to the concerns of franchisees,” it also found that any harm from the Ordinance taking effect was speculative and not supported by the evidence. It also balanced the harm to franchisees against the “concrete harm” to low-wage employees if they lost the expected wage increase and found the equities did not support the requested injunction. Finally, in a serious blow to IFA’s chances at ultimate success in this case, assuming it goes forward, the Court found IFA had failed to raise “serious questions” showing it had a “fair chance of success on the merits.”

Although this ruling is not the end of the case, Judge Jones’ thoughtful and comprehensive analysis of IFA’s claims is a strong indication that IFA will not ultimately be successful while the lawsuit is before Judge Jones. If you have any questions on this ruling, the IFA litigation, or Seattle’s Minimum Wage Ordinance in general, please contact me, Diana Shukis, or Victoria Slade.

Third Annual Travel & Technology Conference

Posted in Technology, Travel

Innovation PicDon’t miss out on the Third Annual Travel & Technology Conference/TNT: Connecting Concepts with Cash, scheduled for March 17, 2015, Hilton Union Square, in San Francisco, CA. This year’s event is being produced by our friends at Hospitality Upgrade, and looks to be another great conference, including a $10,000 prize package for the winning pitch company!  In addition to pitches by some of the industry’s most exciting start-ups, this year’s event will feature presentations and discussions on big data, distribution and restaurants, among other things.  For more detailed information, please see link to Agenda.  If you are interested in attending, please see registration link here — I look forward to seeing you at the conference! – Greg

 

Don’t Forget Copiers, Scanners and Fax Machines in Your Data Security Program

Posted in Data Privacy, Technology

VirusHow secure is the data on your office copier?  Today’s post from Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer’s D.C. office, outlines the data security risks associated with office machines, as well as the warning signs and steps that you can take to reduce those risks.  Thank you, Ben! – Greg  

Current generation multifunction printer/scanner/copier devices are convenient, inexpensive, and very popular. Often overlooked is the fact that most modern printers, copiers, and scanners have many of the same attributes of computers, and are just as vulnerable to the same kind of cyber exploits and attacks as computers. A truly comprehensive data security and privacy risk management approach requires that these commonplace devices be viewed as an integral part of an enterprise’s IT systems, and that device-specific measures be taken to secure them. The National Institute of Standards and Technology (“NIST”) last month published a report on risk management practices for “replication devices,” The NIST report identifies risks associated with such devices, and provides guidance on protecting the confidentiality and integrity of information processed, stored, or transmitted on them.

Risks
Threats include:

  • Default administration/configuration passwords: Many devices have default passwords which can be easily obtained and used to access stored data, or to control the device.
  • Data capture: Unless encrypted, data transmitted or stored, including passwords, configuration settings, and data from stored jobs, is vulnerable to interception or modification.
  • Spam: Unless properly configured and without proper access control, many devices will process any job submitted, which could waste paper, toner, and ink, and tie up the device.
  • Alteration/corruption of data: If passwords or configurations are changed, denials of service for authorized purposes or potential damage to the device could result.
  • Outdated and/or unpatched operating systems and firmware: Many devices run an embedded operating system, making them subject to the same threats as any other computer running those operating systems. Also, older devices may have embedded versions of operating systems no longer supported by the manufacturer, which may leave “unpatched” security issues.
  • Open ports/protocols: For devices that can connect to local networks or the Internet via wireless or ports, open ports and protocols allow data to flow to and from a device. Through open ports, attackers may gain undetected access, and data tampering, unauthorized access, and denial of service can result.

Warning Signs
The Report identified several signs indicating that the security of such a device may be compromised:

  • Display malfunctions or shows incorrect information;
  • Materials (ink, paper, or other supplies) run out faster than usual;
  • Increased number of failed or timed-out jobs;
  • Unexplained/unauthorized changes in configuration settings;
  • Device completes processes slower than expected;
  • Device uses more network time/bandwidth than usual;
  • Time stamps do not align or make logical sense;
  • Communications with unknown IP or email addresses increase; and
  • Markings indicating tampering around key areas of the device (e.g., hard drive or SSD compartment, display area).

Countermeasures
An Appendix to the Report provides a very useful device risk assessment template and checklist. It gives practical guidance on best security practices, across the entire lifecycle of the device. Examples of some countermeasures include:

  • At acquisition, or in third party supply and support contracts, ensure that the device meets common data security standards, is capable of operating in a secure mode, and that the OS is actively supported by the OEM;
  • At deployment, change vendor default passwords, and configure the device to operate in a secure mode;
  • During operation, control device access through PINS and passwords, control physical access to the device itself and its components, such as the SSD or hard drive, and track usage, ensure that stored and transmitted data are encrypted, and timely implement OEM security “patches” and fixes;
  • During operation, control network access using standard organization practices, close unused open ports and protocols, disable wireless identifier broadcasting, and configure the device to prevent communications to and from unknown and unwanted addresses (blacklist/whitelist); and
  • When taking the device out of service, change all passwords and PINS to vendor defaults, and remove or sanitize all hard drives and SSDs on which data may be stored.

The NIST report is available here.

If you have any questions, or for more information on data security, please feel free to contact me or Ben, directly.

BrandVerity’s Latest Study on the Use (and Abuse) of Branded Keywords in Paid Search

Posted in Brands and Trademarks, Hotels

We are excited to announce thBrand. Business Concept.at The State of Branded Keywords in Paid Search, Q4 2014 is now available for download from our good friends (and former contributors) at Seattle-based BrandVerity. This comprehensive report shows how third parties use popular brand terms in paid search advertising, and includes over 250 brands from 10 different categories. This report is an update of their Q3 2014 study, previously featured on our blog.

If you have any questions about the report, please feel free to contact me.

How Does the NLRB’s Ruling on Non-Business Use of Email Affect Your Business?

Posted in Employment Law, Technology

Are your employees using company email during nonworking hours?  Victoria Slade, member of our Labor and Employment Group, brings us the latest developments in NLRB’s ruling and important policy changes that employers can implement to comply with the ruling.  Thank you, Vicky! – Greg

As you may have heard, the NLRB recently ruled that employees who are given access to their employer’s email system for their jobs must be permitted to use that email system during nonworking time to engage in protected activity, such as forming a union or discussing terms and conditions of employment.  This ruling applies to both unionized and non-unionized workforces.  The ruling has caused some controversy because it overturned long-established precedent.  It is not, however, a reason to panic.  Employers who are already complying with the NLRB’s guidance on social media need only make a few changes to their policies.

The case is called Purple Communications, Inc., and all 70-plus pages of the order are available here (under “Board Decision” dated 12/11/2014).  The rule before this case was that an employer had the right to restrict non-business use of its email system, so long as it did so in a non-discriminatory fashion.  In Purple, the Board held that employees must be granted access to use their employer’s email system during nonworking time to engage in protected activity, such as discussing terms and conditions of employment.  Employers with a strict rule that work email is for business use only will therefore need to revise their policy to allow employees to use company email during nonworking time to engage in protected activity.  There are some limited exceptions to this rule, for circumstances where permitting use of company email for protected activity will seriously disrupt productivity or business operations.  If you think this is the case for your business, please contact us, and we can help you craft a policy that should satisfy the NLRB.

If, like many employers, you already allow non-business use of work email during nonworking time, this decision still impacts you.  Most employers have some kind of policy that regulates what employees can do on the company’s email and other communication systems.  Because the Purple ruling requires employers to allow employees to use company email to engage in protected activity, restrictions that infringe on this right are no longer OK.  This, too, is no reason to panic, however, because it simply means your use of technology policy has to look a bit more like your social media policy (you have one of those, right?).  As discussed in the blog posts available here, the Board has already issued a series of rulings and memoranda explaining how it will evaluate social media policies.  Generally speaking, the Board has stated that a policy will be struck down if it could be read by a reasonable employee to prohibit protected activity, such as engaging in collective action or discussing conditions of employment.

Although Purple Communications was a dramatic opinion, in that it overturned decades of previous Board law, it should not be difficult for businesses to adapt.

If you have any questions about how to comply with this decision, we would be happy to help.  Please feel free to contact me or Vicky.

 

Does Your Employee Have a New Social Security Number? How to Comply with Form I-9 Requirements

Posted in Employment Law

Gregg Rodgers chairs GSB’s Immigration Practice Group and is a member of our Hospitality, Travel & Tourism practice team.  His post today provides important steps to take when employers are faced with an employee with a new SSN or Employment Authorization Document.  Thank you, Gregg! – Greg

How would you respond if a valued, long-time employee notified you that she has a new social security number (SSN) and/or an Employment Authorization Document (EAD) that includes different information about her than in your current records?  This happens for hotel and restaurant employees more often than you may realize.  Being ready to act quickly, and legally, can be important for you, the employee, labor relations (if in a collective bargaining situation) and your business.

The first question that many employers want to ask is, “Why did your number change?”  The employee may voluntarily provide that information without you asking.  But do you want or need to know, and can you believe whatever explanation is provided?  The safer course of action is to proceed with a protocol that you can apply uniformly in all situations.

What could be the reason for assignment of a “new” social security number?

There are few situations in which the Social Security Administration (SSA) will change someone’s legitimate SSN, including witness protection, domestic violence issues, the correction of an SSA error in which it assigned the same number to multiple individuals, or because of identity theft.  But otherwise, the most common reason to report a changed SSN to an employer is because the person has only recently become legally authorized to work and the number previously used was not legitimate.

President Obama’s Executive Actions in mid-2012 and again in late 2014 have made it possible for certain people who came to the U.S. without documentation as children, or for certain undocumented parents of U.S. citizens or Lawful Permanent Residents, to be issued time-limited EADs, which have allowed them to be issued legitimate SSNs.  Those eligible for consideration under these programs, called Deferred Action for Childhood Arrivals (DACA) and Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA), are the most likely to present themselves to you.  (As we go to “press,” Congress is already taking aim at eliminating both DACA and DAPA.  I will have more to say about the effects of the President’s 2014 Executive Action regarding employment-based immigration in a future blog entry.)

Long-term hotel and restaurant employees may appear to be more affected by DACA and DAPA than in many other industries.  This may be because these individuals have had little opportunity or motive to move from job to job, even in the highly mobile service industry, because of concern that Form I-9 procedures could result in a new employer’s discovery of the lack of official documentation or employment authorization.  For many affected by DACA and DAPA, job security has been more important than mobility.

Should I discipline the employee?  Am I required to discipline the employee?

What if you become aware of the fact that the SSN you have previously associated with this employee was not that person’s legally assigned SSN?  This would certainly be the case for a DACA or DAPA set of facts.  This could be considered falsification of business records or a violation of a company’s “honesty in the business” policies.

As a business, you have a couple of choices, based your policy/ies, collective bargaining agreement (if the employee is represented by a union), and/or history of action in similar circumstances.  You must be sure that, whatever you do, it does not result in disparate treatment involving any legally or contractually protected status.  Make sure that proper protocols are followed for any investigation or action taken.  If the employee is represented by a union, proper protocols should include reviewing the discipline-related articles of the collective bargaining agreement to ensure compliance, and providing representation for the employee if requested and required.

Assuming it is determined that the employee had purposely provided false information, taking disciplinary up to and including dismissal may be appropriate, considering other cases with that employer, the employer’s policy regarding honesty in the business, collective bargaining agreements, and status in any protected class.

Many employers confronted with DACA or DAPA cases are unwilling to dismiss a valued worker in this situation.  Taking disciplinary action, or taking no disciplinary action, is not mandated by the government.  However, you should be sure that whatever choice is made, it is not illegally discriminatory or in violation of a collective bargaining agreement.

How do I comply with Form I-9 Requirements?

The underlying basis of the presentation of a new SSN, or an EAD (which is likely to be accompanied by reference to a new SSN) may be of no real interest to you.  Assuming you decide to continue her employment, your focus should be on what to do with the new information, which involves the Employment Eligibility Verification form; the Form I-9.

Assuming she was hired after November 6, 1986, when the Form I-9 came into existence, and the employer has a Form I-9 for her, you need to fully verify her employment authorization.  This may allow an opportunity to run this new information through E-Verify if you are registered.

The government has prepared a helpful resource document related to DACA cases, but which is also applicable to DAPA cases and cases in which you have been advised that a new SSN has been issued.  You will see that the focus is clearly on the objective information presented, not the mystery behind it.

Your focus is on having a properly completed Form I-9 on file. 

If the information presented presents a change to any of the information in Section 1 of the previously completed Form I-9, such as name, date of birth, attestation, or SSN (which is not always required in Section 1), she and you should complete a new Form I-9, using the original date of hire, and attaching it to the previously completed Form I-9.  This applies in either situation, in which only an SSN change has been reported or an EAD has been presented.  Of course, as a part of this process, you must examine and record information from the original document(s) presented to complete Section 2 and, if your policy is to always copy documents presented, to do so.  Employers who participate in E-Verify should verify the new Form I-9 information through E-Verify.

If the information presented requires no change to any information in Section 1 of the previously completed Form I-9, such as if no SSN had been noted and no attestation change is required, you may complete Section 3 of the previously completed Form I-9 if the version used for the previous verification is still valid for use as of the current date.  If Section 3 of the previously completed Form I-9 has already been completed, or if the previously completed Form I-9 is not currently valid for use, you should complete Section 3 of a new Form I-9, being sure to write the employee’s name at the top of Section 2.  Attach any newly completed Form I-9 to the previously completed Form I-9.  This situation does not require or authorize a new E-Verify check.

In all cases, be sure to examine the original documentation.  You must certify that you have done so, and that the documentation appears to be genuine and relates to the employee presenting it.

The employee may choose which documents to present, either List A, or List B and List C.  In only very limited circumstances may you legally suggest to the employee what documentation to present for Form I-9 purposes.  Rather, provide the employee with the List of Acceptable Documents included with the Form I-9 and let the employee choose what to present to you.  An employee who has a “new” SSN may choose to present an EAD as a List A document and is not necessarily required to present an SSN card as a List C document.

  • In all cases, be sure to record the document title, document number, and its expiration date (if any).
  • In all cases, be sure to sign and date the Form I-9 in the appropriate space.
  • Remember to reverify the employee’s documentation by the date the validity period of a List A document expires, except for passports or Lawful Permanent Resident cards.  Never reverify List B documents.

I also suggest that you consider preparing a memo to the file, also to be clipped to the Form I-9, explaining what happened and when, signing and dating that.  This will allow an auditor to consider this, potentially years from now when none of the parties may be available to explain it, to understand exactly why this action took place.

Forms I-9 and related attachments must be retained for at least three years after the date of hire or one year after the date the individual’s employment is terminated, whichever is later.

What to do?

It is important to recognize that an employee’s presentation of the kind of information referenced here is a very serious matter in that employee’s life.  Emotions can be high for that employee, co-workers, representatives, and yes, even you.  Like anything you do in your job, planning for your response to a situation like this, and responding in a manner that can be seen as fair and reasonable can go a long way toward maintaining good employee relations and legal compliance.

If you have any questions about I-9 compliance, please call me or Gregg.