A Data Breach Does Not Have to Be Scary

When asked what they lose sleep over at  night, General Counsel and Chief Executive Officers often give the same answer, “data breach” — and with good reason. A recent IBM study put the cost of the average data breach at nearly $3.5 million dollars. Of course, the larger the breach, the larger the price tag.A Data Breach Does Not Have to Be Scary

There is a sense of inevitability in the recent scourge of data breaches. Boards of directors and corporate leadership teams worry about the size and unpre- dictability of the risk, but are unsure what to do about it.

Cyber insurance that mitigates losses from cyber incidents is a new, hot product being considered by many businesses, especially those that take payment cards. Not all cyber insurance policies, however, cover the boards of directors, agency fines, and non- personal proprietary data that are stolen. Coverage depends on the policy purchased. Consequently, there is a lot left to worry about even with a good cyber insurance policy.

The Legal Landscape

The United States, unlike the European Union and many Asia-Pacific countries, does not have a federal data breach law. Instead, 48 of the 50 states and many U.S. territories have enacted their own data breach legislation. These are enforced primarily by states’ attorneys general.

At the federal level, consumer privacy is legislated industry-by-industry. For example, financial institu- tions are governed by their prudential regulators and the newly minted Consumer Financial Protection Bureau (“CFPB”). Another example concerns the healthcare industry, which must adhere to the  Health Insurance Portability and Accountability  Act (HIPAA) — the healthcare privacy law admin- istered by the Department of Health and Human Services (“DHHS”).

The Federal Trade Commission (“FTC”) is the lead federal agency regulating cyber security and data privacy for much of the rest of U.S. commercial enterprises. The Commission has brought actions against the retail, hospitality, and technology indus- tries, among others, for failure to maintain (what the FTC considers) sufficient cyber security. In other words, the FTC has sued private companies on behalf of U.S. consumers under the Federal Trade Commission Act for allegedly not having appropri- ate technology security protocols, failing to main- tain proper privacy or security policies, touting greater data security practices than were actually in place, and lacking employee training on information security practices, among other things.

On the state level, North Carolina’s data breach law is typical. The office of the North Carolina Attorney General, Roy Cooper, enforces North Carolina’s data breach statute, which applies to any North Carolina business that owns, licenses, maintains, or possesses “personal information” about state residents, whether in digital or paper format. “Personal infor- mation” is a consumer’s name or initial and last name combined with identifying information such as a social security number, driver’s license number, account number, credit card number, debit card number,  password,  biometric  identifier,  fingerprint or password.

The North Carolina data breach statute mandates that individual consumers be notified “without unreasonable delay” in the event an unauthorized person accesses their information in a manner that may cause that consumer harm. (The “breacher” may be an employee, former employee or a hacker.) As a practical matter, notice often is expected to be given within two weeks of a data breach, unless there is a need to extend the deadline in order to work with law enforcement.

Regulators like the FTC, DHHS, the Attorney General, and the financial regulators appear to be cracking down hard on privacy and data security. This is a growing trend that shows no sign of slowing.

The Risk Assessment

A company can protect itself from data breaches by getting a regulatory and cybersecurity risk assess-ment. A risk assessment will do several things. First, it will identify vulnerabilities and threats that exist in your company and help you plan ways to treat those risks. A good risk assessment balances risk treatment with your business’s goals and resources and documents that process.

Second, working with a privacy and cyber security lawyer, the assessment will enable your company to build information security and privacy policies to create a cybersecurity-minded culture and help insulate the company from legal risk. This is much like anti-harassment and EEO (equal employment opportunity) policy processes.

Third, after the risk assessment is completed, the lawyer and the IT professional will help you implement a complete information security plan by working with your team to train employees on the company’s new cyber security and privacy policies and procedures.

This three-part plan reduces both the company’s chance of a security breach and the likelihood of successful legal action in the event of a breach. The thoroughness of the risk assessment itself becomes a legal defense, even if there is a breach. Think of it as the “we-did-everything-we-reasonably-could” defense.

Penny Wise and Pound Foolish

A surprising number of companies have not had a regulatory cybersecurity risk assessment. That is regrettable. The upfront cost in analyzing vulnera- bilities and preventing security incidents and legal action, while often not insignificant, can save untold amounts down the road. A risk assessment is consid- erably less expensive than a data breach.

If you would like more information on data privacy and security, please contact Amy Worley (Amy.Worley@jacksonlewis.com) or the Jackson Lewis attorney with whom you regularly work.

H-1B Visa Numbers Up More Than 35%

U.S. Citizenship and Immigration Services announced on April 13 that it had completed the annual H-1B non-immigration visa lottery selection, having received approximately 233,000 petitions for fiscal year 2016 (beginning in October 2015), an increase of more than 35 percent from last year (172,500 petitions). USCIS randomly selected petitions to meet the general category cap of 65,000 and the advance degree exemption of 20,000. Based on this year’s numbers, it appears that barely more than one petition in three was selected.

Alternatives to H-1B

Since the majority of employers who filed under the H-1B cap had their cases rejected, employers must consider alternatives for sponsored employees. For instance, employees just graduating or with additional Science, Technology, Engineering and Mathematics (STEM) on Optional Practical Training (OPT) time can try again for next year’s H-1B cap and work this year on their OPT work authoriza- tions. For F-1 students who will run out of OPT time this summer and new employees who are not working in another renewable status, other creative solutions may be available.

Employers with related foreign entities can assign the employee to work at the foreign entity for one year, and then sponsor the employee back to the U.S. as an L-1 intracompany transferee. This process is easier if the employee is a manager because the L-1B or specialized knowledge category, another possibility, is highly scrutinized and suffers from a disproportionately high denial rate. The L-1B guidance is under agency review and will be revised to make this a more attractive option than the H-1B for employers with related foreign entities.

If the employee has an extremely well-regarded skill set, an O-1 visa may be the right choice. O-1 is the category for workers of “extraordinary ability” and is reserved for those who have shown extraordinary ability in the fields of science, education, business, athletics, or the arts. To qualify, petitioners must show that they can meet at least three of the follow- ing criteria:

  • Receipt of nationally or internationally recognized prizes or awards for excellence in the field of endeavor.
  • Membership in associations in the field for which classification is sought which require outstanding achievements, as judged by recognized national or international experts in the field.
  • Published material in professional or major trade publications, newspapers, or other major media about the beneficiary and the beneficiary’s work in the field for which classification is sought.
  • Original scientific, scholarly, or business-related contributions of major significance in the field.
  • Authorship of scholarly articles in professional journals or other major media in the field for which classification is sought.
  • A high salary or other remuneration for services as evidenced by contracts or other reliable evidence.
  • Participation on a panel, or individually, as a judge of the work of others in the same or in a field of specialization allied to that field for which classification is sought.
  • Employment in a critical or essential capacity for organizations and establishments that have a distinguished reputation.

Finally, employers can join ongoing lobbying efforts to change the H-1B cap and process. For example, high profile technology figures, including Mark Zuckerberg, have founded FWD.us, a nonprofit organization that supports comprehensive immigration reform and, specifically, more investment in scientific innovation.

Please contact Nicola Prall (PrallN@ jacksonlewis.com) if you have any questions about the H-1B or other visas.

Five Things About North Carolina Employment Laws

Here are five unusual employment laws in North Carolina waiting to trip the unwary employer:

  • Mandatory E-Verify: North Carolina is one of only seven states that require the use of E-Verify or a similar system by most private employers. Employers with at least 25 employees must use E-Verify. Individuals whose term of employment is less than nine months in a calendar year are exempted from the definition of “employee” for this purpose, not counting towards the 25-employee threshold.
  • No forfeiture of unpaid vacation: If an employee has not taken all of his or her vacation at termination, the employee must be paid for that unused time. To avoid this payment, employ- ers must give specific written notice that vacation pay is forfeited at termination.
  • Notification for changes in wages: If an employer in North Carolina wants to change an employee’s pay, it must inform that employee of that change in writing at least 24 hours before the change takes effect.
  • Consideration required for restrictive covenants signed after hire: If an employer wants to add certain restrictive covenants (such as a non-compete) after an initial hire, it likely must provide consideration or payment to the employee to ensure the agreement is effective.
  • Parental Involvement Leave: North Carolina law provides parents, guardians, or persons stand- ing in loco parentis of a school-aged child up to four hours of leave each year to attend and be involved in their children’s activities.