November 1, 2018

Updates on Harassment Charges, Overtime Rule, and Drug Testing

Cecilia Romero

By Cecilia Romero

EEOC’s Preliminary Sexual Harassment Data Shows Huge Increase

The Equal Employment Opportunity Commission (EEOC) released preliminary data earlier this month for fiscal year (FY) 2018. Its data shows:

  • The EEOC filed 66 harassment lawsuits, including 41 that included allegations of sexual harassment, reflecting more than a 50 percent increase in suits challenging sexual harassment over FY 2017.
  • Charges filed with the EEOC alleging sexual harassment increased by more than 12 percent from FY 2017.
  • The EEOC recovered nearly $70 million for the victims of sexual harassment through litigation and administrative enforcement in FY 2018, up from $47.5 million in FY 2017.

Perhaps this data is a reflection of the “#MeToo” movement with alleged victims more willing to come forward. But it also shows the EEOC’s focus on preventing and remedying workplace harassment, as the agency continues to actively enforce federal anti-discrimination laws while also educating employees, employers, and the public on unlawful harassment.

DOL Delays Revised Overtime Rule Until Spring

The U.S. Department of Labor’s (DOL’s) Wage and Hour Division is working on revising the regulations that implement the exemption of bona fide executive, administrative, and professional employees from the Fair Labor Standards Act’s minimum wage and overtime requirements. Most of you will recall the tortured history of the previously updated salary threshold that was promulgated under the Obama Administration and would have raised the salary level for the exemption to an annualized salary of $47,476. That final rule was never implemented, due to a nationwide court injunction so the salary level remains at $23,660 per year ($455 per week). Now, the DOL’s Notice of Proposed Rulemaking that will propose an updated salary level for the exemption and seek the public’s view on the salary level and related issues has been delayed until March of 2019. Reports suggest that the proposed salary level will be in the low $30,000 range annually, or close to $600 per week. We’ll have to wait and see what is proposed in the Spring – we’ll keep you posted.

OSHA Clarifies Post-Incident Drug Testing Position

On October 11, 2018, the DOL released an interpretation memorandum from the Occupational Safety and Health Administration (OSHA) that is meant to clarify OSHA’s position on post-incident drug testing and safety incentive programs in the workplace. Applicable regulations, 29 C.F.R. § 1904.35(b)(1)(iv) states, “you must not discharge or in any manner discriminate against any employee for reporting a work-related injury or illness.” Previously, OSHA had indicated that post-incident drug-testing requirements could be considered retaliatory for employees who report or are involved in workplace safety incidents, or could otherwise chill an employee’s willingness to report a safety issue or workplace injury.

In its new interpretation, OSHA clarifies that it “…believes that many employers who implement safety incentive programs and/or conduct post-incident drug testing do so to promote workplace safety and health. In addition, evidence that the employer consistently enforces legitimate work rules (whether or not an injury or illness is reported) would demonstrate that the employer is serious about creating a culture of safety, not just the appearance of reducing rates. Action taken under a safety incentive program or post-incident drug testing policy would only violate 29 C.F.R. § 1904.35(b)(1)(iv) if the employer took the action to penalize an employee for reporting a work-related injury or illness rather than for the legitimate purpose of promoting workplace safety and health.”

October 2, 2018

Wyoming Employer Sued for Paying Female RNs Less Than Male RNs

Brad Cave

by Brad Cave

Paying an experienced female registered nurse (RN) less than a newly licensed male RN has a Wyoming healthcare employer defending a lawsuit brought by the Equal Employment Opportunity Commission (EEOC). On September 28, 2018, the EEOC filed a complaint in the federal court in Wyoming alleging that Interim Healthcare of Wyoming, Inc. (Interim) violated the Equal Pay Act and Title VII by paying employees of one sex lower wages than employees of the opposite sex for substantially equal work.

Pay Inequity Among RNs is Alleged

According to the complaint, female Nicole Aaker was hired by Interim as a Home Care RN in November 2015. Aaker had received her RN license from the Wyoming State Board of Nursing in June 1998 and at the time of her hire, had about 17 years of professional RN experience. Interim paid her $28 per hour.

The complaint alleges that Interim hired male RN Bailey Jessee as a Home Care RN in late May 2015, about six months prior to hiring Aaker. Jessee had just received his RN license from the State Board of Nursing in February 2015 and he had about two months of professional RN experience. Interim paid him $29 per hour.

Further statements in the complaint allege that at least five additional female nurses were paid hourly rates less than the $29 per hour rate paid by Interim to Jessee, including the following:

  • Female RN with about 2 years of experience was paid $26 per hour
  • Female RN with about 18 years of experience was paid $28 per hour
  • Female RN with about 30 years of experience was paid $26 per hour
  • Female RN with about 26 years of experience was paid $28.50 per hour
  • Female RN with about one month of experience was paid $26 per hour, and was given a raise to $28 per hour after over a year of employment with Interim.

Employer Allegedly Fails to Respond to Internal Complaints 

Interestingly, it was the male RN, Bailey Jessee, who appears to have raised the initial complaints to Interim about the disparity in his pay and Aaker’s pay, according to the complaint. Jessee allegedly raised the pay disparity issue at least twice to Interim Administrator Crystal Burback who responded that the pay difference was due to experience. When Jessee replied that Aaker had a lot more nursing experience than he did, Burback allegedly became angry and told Jessee that he shouldn’t discuss his salary at all.

The complaint further alleges that on another occasion, Jessee told Interim Director of Healthcare Service Lori Norby and Crystal Burback that he would be willing to take a pay cut to make his pay rate equal with Aaker’s hourly rate. Although Norby seemed willing to accept that offer, Burback allegedly became angry and defensive. A few months later, Jessee resigned from Interim.

The allegations in the complaint state that Aaker also complained to Burback about the pay discrepancy between her hourly rate and Jessee’s rate. Burback allegedly first responded that she was paid “per experience,” and then responded that it didn’t matter if Aaker had more experience than Jessee – she was hired at $28 per hour and it would not change. The complaint alleges that after receiving no response to her complaints, Aaker was constructively discharged on April 29, 2016.

Sex Discrimination Claim

Although the Equal Pay Act violation is front and center in the EEOC’s complaint, the allegations include that Aaker and other female nurses were subjected to working conditions involving sex discrimination that were so intolerable that the female nurses felt compelled to resign. In alleging constructive discharge based on sex, the EEOC writes that Burback engaged in inappropriate workplace conduct, including regularly demeaning Aaker, calling Aaker “stupid,” telling Aaker that she was not doing her job, slapping Aaker on the buttocks, and, in the presence of Aaker, grabbing a female social worker’s breast.

EEOC Seeks Damages and an Injunction

The EEOC has made enforcement of equal pay laws one of its six national priorities as specified in its Strategic Enforcement Plan. In the Interim lawsuit, the EEOC seeks a permanent injunction to stop Interim from engaging in compensation discrimination based on sex. The agency further seeks back pay damages for the female nurses for lost wages, liquidated damages, damages to compensate for pain and suffering, and punitive damages.

Audit Your Pay Practices for Disparities

Due to the EEOC’s focus on compensation practices that discriminate based on gender, employers are well advised to audit their own pay practices to determine whether they are paying employees in substantially similar jobs differently along gender lines. If so, take proactive steps now to correct any equal pay issues so that you do not become the EEOC’s next target.

September 26, 2018

SCOTUS Employment Cases and Petitions for The Upcoming Term

Steven Gutierrez

by Steven M. Gutierrez

The Supreme Court of the United States will begin its upcoming session on Monday, October 1, 2018. Currently, eight justices preside over the high court following Justice Anthony Kennedy’s retirement after the end of the last term. As we saw when the Court was short a justice following Justice Scalia’s unexpected death in 2016, the lack of a full nine-justice panel may result in some interesting decisions. Here are highlights of the cases and petitions that employers will want to watch for the upcoming term.

ADEA Application to Small Public Employers

On the Court’s first day of the new term, the justices will hear oral argument in a case that asks whether the Age Discrimination in Employment Act (ADEA) applies to all public employers, regardless of size, or only to those with 20 or more employees. The ADEA prohibits discrimination against applicants and employees who are age 40 or older. An “employer” is defined by the ADEA as “a person engaged in an industry affecting commerce who has twenty or more employees . . .” which clearly sets a 20-employee threshold for private employers. But the ADEA also applies to state political subdivisions (i.e., public employers) and federal appeals courts have disagreed on whether the 20-employee threshold applies to such public employers.

The U.S. Courts of Appeals for the Sixth, Seventh, Eighth, and Tenth Circuits have held that the ADEA applies to public employers of any size. The Ninth Circuit, however, has ruled oppositely, applying the 20-employee threshold to public employers. The Supreme Court granted the petition for a writ of certiorari to resolve the split in the circuits. Mount Lemmon Fire Dist. v. Guido, No. 17-587.

Arbitration Agreements

During its last term, the Supreme Court ruled that arbitration agreements that require an employer and employee to resolve employment disputes on a one-on-one basis, thereby prohibiting class actions, do not violate the National Labor Relations Act. (See post on the Epic Systems Corp. v. Lewis decision here.) This term, additional questions related to arbitration agreements will be before the Court.

In Lamps Plus, Inc. v. Varela, No. 17-988, the Court will hear a case in which an arbitration agreement did not mention or address class arbitration. In its 2010 decision in Stolt-Nielsen, S.A. v. AnimalFeeds International Corp., SCOTUS held that a court could not order arbitration to proceed using class procedures unless there was a “contractual basis” for concluding that the parties have “agreed to” class arbitration. The Court stated that courts may not “presume” such consent from “mere silence on the issue of class arbitration” or “from the fact of the parties’ agreement to arbitrate.” Yet, in the Lamps Plus case, a divided Ninth Circuit panel inferred mutual assent to class arbitration from standard language in the agreement, such as that “arbitration shall be in lieu of any and all lawsuits or other civil legal proceedings.” Consequently, the Supreme Court will review the Ninth Circuit’s decision to determine whether the Federal Arbitration Act (FAA) allows a state-law interpretation of an arbitration agreement that would authorize class arbitration based solely on general language commonly used in arbitration agreements. Oral argument in that case is set for October 29, 2018.

Another arbitration case before the Court this term questions the application of the FAA to independent contractor agreements. In New Prime Inc. v. Oliveira, No. 17-340, the Court must decide whether Section 1 of the FAA, which applies on its face only to “contracts of employment,” is applicable to independent contractor agreements. In that case, an independent contractor had signed a mandatory arbitration provision with an interstate trucking company agreeing to arbitrate all workplace disputes on an individual basis. However, Section 1 of the FAA provides that it does not apply “to contracts of employment of seamen, railroad employees, or any other class of workers engaged in foreign or interstate commerce.” The independent contractor filed a putative class action in court and opposed arbitration based on the Section 1 exemption. The Court also will address whether the FAA’s Section 1 exemption is an arbitrability issue that must be resolved in arbitration rather than by a court. Both parties will argue this case before the Court on October 3, 2018.

Petitions Not Yet Granted

Parties have petitioned the high court to hear other employment-related cases this term. The Court may or may not grant review of these cases, but they raise significant employment issues so are worth reviewing here.

Sexual Orientation Discrimination and Gender Identity Under Title VII

Title VII of the Civil Rights Act of 1964 does not explicitly prohibit employment discrimination on the basis of sexual orientation. Yet, at least three federal appellate courts, the Second, Sixth, and Seventh Circuit Courts, have ruled that Title VII’s ban on sex discrimination extends to prohibit sexual orientation discrimination. The Eleventh Circuit, however, ruled that Title VII does not give rise to a claim for sexual orientation discrimination.

Two petitions are being considered by the Court on this important issue. Altitude Express Inc. v. Zarda, and Bostock v. Clayton County are the two cases up for consideration and should the Court agree to accept review of either (or both), the decision could prove to be one of the most important for employers this term.

In a separate petition by R.G. & G.R. Harris Funeral Homes, an employer is challenging a Sixth Circuit decision that ruled in favor of the Equal Employment Opportunity Commission (EEOC), holding that Title VII applies to employment discrimination based on gender identity. The case involved an employee who was fired after telling her boss that she would be transitioning to a female gender identity and wanted to wear women’s clothing at work. Again, the potential impact of a SCOTUS decision on this issue will be wide-reaching for employers in the U.S.

Gender Pay Inequity

Also up for potential SCOTUS review is the Ninth Circuit’s controversial decision that an employer may not use a person’s prior salary to justify pay disparities. The Equal Pay Act (EPA) prohibits employers from paying men and women differently for the same work, but there are exceptions that include “factors other than sex.” In Yovino v. Rizo, the question is whether salary history qualifies as a “factor other than sex” when employers make pay determinations. The Ninth Circuit said no, salary history is not a factor other than sex. But the Seventh Circuit has stated that salary history is indeed a factor other than sex. The circuit split could make this timely topic ripe for the Supreme Court to accept review.

Labor Cases

At least two labor law cases are seeking SCOTUS review this term. The first, Ohlendorf v. Local 876, UFCW, involves whether a union violates its duty of fair representation if it refuses to allow members to rescind their dues checkoff authorization because the members failed to follow proper rescission procedures. The Sixth Circuit ruled in favor of the union, holding that it acted within its bounds when it continued to collect union dues from a couple of members who didn’t properly rescind their dues checkoff authorization. The workers seek to appeal that decision through SCOTUS review.

Another petition being considered by the Court would address whether a successor employer is obligated to bargain with the predecessor company’s unionized workers when the successor takes over the assets of another business. In Creative Vision Resources v. NLRB, the successor company is challenging a ruling by the Fifth Circuit, enforcing a National Labor Relations Board decision that the company violated federal labor law when it failed to bargain with the predecessor company’s union before imposing initial employment terms and conditions on the workers.

Stay Tuned

As always, we will continue to track these cases and petitions as they make their way through the Supreme Court’s term. Be sure to subscribe to our blog so that you receive our updates.

September 5, 2018

Join Us For Our Colorado Employment Law Update – Thursday, Sept. 13, 2018

2018 Employment Law Update – Denver, CO

Please join us for our complimentary half-day seminar on the latest developments in labor and employment law. We’ll cover hot topics and offer practical tips on how to handle the most challenging workplace scenarios. Highlights of our program include:

  • Significant L&E Updates
    • Class action waivers
    • Immigration, visas, and I-9 crackdowns
    • NLRB reversals
    • Colorado data privacy and employment law developments
  • Harassment and Discrimination: #MeToo and More
    • Prevention: policies and new training techniques
    • Investigating to reach a conclusion
    • Working with/against the EEOC and CCRD
    • Mediation, arbitration, or litigation?
    • Should you settle?
  • Managing Leaves, Accommodations, and Terminations
    • Intersection of FMLA and ADA
    • Handling indefinite leaves and work restrictions
    • Pregnancy accommodations under the new Colorado law
    • Discharging employees who’ve exercised their rights
    • Documenting your actions to aid your defense

Agenda: THURSDAY, SEPTEMBER 13, 2018
Registration and Breakfast | 8:00 – 8:30 AM
Presentations | 8:30 – 12:00 PM

Location: Holland & Hart LLP

555 17th Street
Suite 3200
Denver, CO 80202

Speakers:

Steve Gutierrez
sgutierrez@hollandhart.com

Emily Hobbs-Wright
ehobbswright@hollandhart.com

John Husband
jhusband@hollandhart.com

Jeremy Merkelson
jbmerkelson@hollandhart.com

Roger Tsai
rytsai@hollandhart.com

Mark Wiletsky
mbwiletsky@hollandhart.com

CLE and SHRM credit pending

Registrations are filling up fast so please reserve your spot now! To register online, please click here. We look forward to seeing you there!

August 30, 2018

Mark Gaston Pearce Nominated for Another NLRB Term

Steven Gutierrez

By Steve Gutierrez 

Late on August 28, 2018, President Trump nominated Mark Gaston Pearce to serve another term on the National Labor Relations Board (NLRB or Board). Pearce was appointed to the Board in 2010 by then-President Barack Obama for a partial term. He then served a full five-year term from 2013 until this week. Due to the expiration of Pearce’s term on August 27, 2018, the Board currently sits at four members, rather than the full five-member contingent.

As with all Board nominations, the Senate must vote to approve Pearce’s nomination before he may begin to serve a new five-year term. As a former union attorney, Pearce may face some opposition from management groups that see him as too pro-union. But the make-up of the five-member Board is traditionally comprised of three members who align with the president’s political party, in the current case, Republican, with the remaining two members aligning with the minority party. Currently, the three Republican members are Chairman John Ring, William Emanuel, and Marvin Kaplan. The lone Democrat, at least until Pearce or another person is confirmed, is Lauren McFerran whose term expires on December 16, 2019.

With the Board revisiting many hot button issues, such as joint-employer status and the use of an employer’s e-mail system for union activities, the Board members wield significant influence on workplace policies and potential employer liability for both union and non-union employers alike. We will keep you informed on Pearce’s confirmation as well as any other Board developments.

August 23, 2018

Asking Employees About Prescription Medicine Use

By Brad Cave

Brad Cave

As an employer, you may be tempted to ask your employees what prescription medications they use and whether their prescription drugs could affect their ability to perform their job. After all, you want to identify any potential safety and performance issues before they arise.

Be aware, however, that employers may ask about prescription medicine only in limited circumstances. The Americans with Disabilities Act (ADA) restricts employers from asking medical questions of applicants and employees. Asking about prescription medications clearly falls into the category of medical-related questions.

Under the ADA, an employer may ask a current employee about prescription medicine only when it’s job-related and consistent with business necessity. That means you may not ask all employees to disclose any medications they take. Instead, you need to determine the job positions for which prescription-related questions would be job-related and consistent with business necessity. Typically, those will be safety-sensitive positions, such as drivers, police officers, and heavy equipment operators. Employees in jobs that don’t face a significant job-related safety risk associated with the side effects of prescription medications should not be asked about their use of those drugs.

Remember that the ADA doesn’t permit employers to ask medical questions of job applicants. Only after a job offer has been extended to a candidate may you inquire about medical information or require the individual to undergo an examination. In addition, be certain to keep all medical information confidential and in files separate from your regular personnel files.

August 7, 2018

What Do Your Executives Have In Common With Seven-Figure Income College Coaches?

Beth Nedrow

By Beth Nedrow and Jeremy Ben Merkelson

Tax-exempt organizations may be surprised to learn of the practical impact of a statute enacted as part of the Tax Cuts and Jobs Act in December 2017. Section 4960 of the Internal Revenue Code immediately put in place restrictions on what it labels “excess” executive compensation. Some organizations initially concluded that Section 4960 would have little or no impact on them, but many are now finding that the rules have more bite than anticipated.

Section 4960 focuses on compensation paid by a tax-exempt organization to any “covered employee.” A “covered employee” is any person who was one of the organization’s five highest compensated employees for 2017 or any later taxable year. The surprising thing about this definition is that once a person is labeled a “covered employee” for any given year, they will remain in that category for the rest of their life. Read more >>

August 2, 2018

NLRB Revisiting Use of Employer E-Mail Systems

Steven Gutierrez

By Steve Gutierrez

On August 1, 2018, the National Labor Relations Board (NLRB or Board) issued an invitation for interested parties to file briefs on whether the Board should change or overrule its 2014 decision in Purple Communications, Inc., 361 NLRB 1050. In that case, the Board ruled that employees who already have access to an employer’s e-mail system at work may use that e-mail system during non-working time for Section 7 communications. In other words, employees may send e-mails to their co-workers related to union organizing and concerted activities related to wages or other terms and conditions of employment via their company’s e-mail system.

The Purple Communications decision had overturned an earlier ruling in Register Guard, 351 NLRB 1110 (2007) which held that facially neutral employment policies restricting employees’ use of their employer’s e-mail system did not violate the National Labor Relations Act merely because the policies might have the effect of limiting the use of those systems for union-related communications. The Board is now considering a case that will permit it to reconsider the use of an employer’s e-mail system by employees for Section 7 purposes. In fact, the Board also seeks comments on the appropriate standard for the Board to evaluate policies that govern the use of other employer-owned computer resources, not just e-mail.

NLRB Chairman John Ring and NLRB members Marvin Kaplan and William Emanuel issued the Notice and Invitation to File Briefs over the dissent of the other two Board members, Mark Gaston Pearce and Lauren McFerran. Those wishing to file an amicus brief must submit it on or before September 5, 2018.

July 19, 2018

FAQs About Implementing Arbitration Agreements and Class Action Waivers

Bryan Benard

by Bryan Benard

In late May, the U.S. Supreme Court ruled that arbitration agreements between an employer and an employee to resolve employment disputes through one-on-one arbitration do not violate the National Labor Relations Act (NLRA). In a huge win for businesses, the Epic Systems Corp. v. Lewis decision means that employers may use arbitration agreements to prohibit employees from filing and joining class or collective action lawsuits in employment-related matters.

In the weeks since SCOTUS’s decision, organizations have asked important and thoughtful questions on how to implement and use arbitration agreements and class action waivers with their employees. Although no guidance is “one-size-fits-all,” these FAQs may help answer common issues that come up.

Why Should We Use an Arbitration Agreement? 

By requiring that employees resolve employment disputes through arbitration instead of filing a lawsuit in court, employers may benefit from numerous differences in both procedure and exposure. First, proceedings before a neutral arbitrator (or panel of arbitrators) are handled in private whereas lawsuits filed in a state or federal court are available to the public. In other words, unless documents are filed under seal, most court documents, hearings, and trials will be open to anyone, including reporters, competitors, other employees, etc. Consequently, requiring arbitration keeps publicity related to employment disputes at a minimum.

Second, procedures and evidentiary rules differ between arbitration and court proceedings. An employer may set forth in the arbitration agreement which arbitration rules will govern employment-related disputes. In addition, the employer and employee (and their attorneys) mutually select an arbitrator whereas the parties to a court action do not have input into the judge assigned to their lawsuit. In addition, an arbitrator has broad discretion over discovery and need not follow formal discovery and civil procedure rules that govern the courts (which may or may not be desirable in a given context). Finally, although there are some grounds for judicial review, arbitration awards generally cannot be appealed, meaning that disputes can get to a final resolution quicker.

What are the Benefits of a Class Action Waiver? 

A class action waiver is typically one provision within an arbitration agreement stating that the employee agrees to resolve employment disputes on an individual basis and agrees to refrain from pursuing or joining any class or collective actions in conjunction with his or her fellow employees. By having employees waive class actions, businesses may avoid lengthy and expensive class action lawsuits that often involve hundreds, even thousands, of current and/or former employees nationwide. In addition, attorneys who represent employees are unlikely to receive the millions in attorneys’ fees that can be awarded as class counsel when forced to represent employees on an individual basis.

Are There Any Downsides to Using an Arbitration Agreement and/or Class Action Waiver?

Sure, it is possible that mandatory arbitration agreements and class action waivers may not be a good fit for every employer or for use with every employee. Although generally viewed as a benefit to employers, private arbitration can mean that resolution of an issue with one employee does not bind or even influence the resolution of that same issue with other employees. Accordingly, some employers may want to have a court rule on the lawfulness of a particular policy or practice so that it has more certainty for future enforcement.  Also, smaller companies may not see the benefit in separately litigating each employee’s dispute in a separate proceeding if the company only has a handful of employees—meaning that in some situations, addressing multi-plaintiff cases could be less expensive if the pool of employees is relatively small.

In addition, arbitration is not always less expensive than court litigation since the employer is generally required to pay its own attorneys’ fees as well as most of the arbitration and arbitrator fees. There is also criticism and skepticism leveled at arbitration, on the theory that arbitrators will not grant motions to dismiss or summary judgment motions, or may attempt to “split the baby” rather than making tough decisions in favor of employers. Finally, a remote but possible scenario in a tight labor market is that key employees may refuse to agree to these mandatory agreements resulting in the loss of good talent or skilled, experienced workers. 

May We Make New Employees Sign a Class Action Waiver as a Condition of Employment?

Generally, yes. You may make it a condition of employment that new hires sign a mandatory arbitration agreement with a class action waiver. Read more >>

July 17, 2018

New Colorado Data Privacy Requirements Apply to Employers

Dustin Berger

By Dustin D. Berger

Organizations that employ workers in Colorado will soon face more stringent data privacy requirements, thanks to new legislation signed into law by Governor Hickenlooper at the end of May. This new law, HB 18-1128, imposes new obligations on all covered entities in the state that maintain documents that contain personal identifying information of Colorado residents. These obligations go into effect on September 1, 2018. Here are the highlights of the new requirements and steps employers should take to comply.

Practically All Employers Will Be Affected by the New Law

The new law applies to a “covered entity,” which is essentially defined as any individual or entity “that maintains, owns, or licenses personal identifying information”—regardless of how much business the covered entity does within Colorado. The statute defines “personal identifying information” as “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device.”

Because virtually all employers maintain information on their employees that is considered personal identifying information, such as social security numbers, employer identification numbers, passport numbers, or driver’s license numbers, employers with Colorado employees will be subject to the requirements of the new law.

The key provisions in the new law are its requirements that covered entities: (1) maintain reasonable security procedures and practices; (2) establish and follow a written policy for the destruction of personal information when it is no longer needed; (3) ensure that third-party service providers handling their personal information have implemented and maintained reasonable security procedures and practices; and (4) follow the law’s notification procedures when it becomes aware that a security breach “may have” occurred.

1.         Reasonable Security Procedures and Practices

HB 18-1128 creates a new statutory section, C.R.S. § 6-1-713.5, that requires covered entities to implement and maintain reasonable security procedures and practices to protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction. While not specifying exactly what type of security procedures are required, the new provision states that such procedures must be appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.

If a covered entity discloses personal identifying information to a third-party service provider, it must require that the service provider implement and maintain reasonable security procedures and practices, as outlined in number 3 below. 

2.         Disposal of Documents Containing Personal Identifying Information

Colorado has had a statute governing the disposal of documents containing personal identifying information since 2004, but the new legislation amends C.R.S. § 6-1-713 to expand covered entities’ responsibilities with respect to personal identifying information. Now, the disposal requirements apply to documents that are kept electronically as well as those kept in paper form. The new law also requires that covered entities implement a written policy specifying that the entity shall destroy (or arrange for destruction of) the documents by making the information unreadable or completely indecipherable.

3.         Ensure Third-Party Service Providers Have Reasonable Security Procedures

If a covered entity discloses personal identifying information to a third-party service provider, the covered entity must now require the service provider implement and maintain reasonable security procedures and practices that are reasonably designed to help protect the information from unauthorized access, use, modification, disclosure, or destruction, as appropriate to the nature of the information disclosed to the service provider. A third-party service provider is defined as an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity.

4.          Security Breach Notification Requirements Enhanced

The new law significantly amends Colorado’s statute governing notifications of a security breach, C.R.S. § 6-1-716. A “security breach” is defined, in relevant part, as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.

Under the new provisions, a covered entity has no more than 30 days to provide notice of a security breach. Notice must be made to affected Colorado residents in a very specific manner including notice by mail, telephone, electronically, or by substitute notice, and must contain a myriad of information regarding the breach and options that are available to the affected person. If a breach is reasonably believed to have affected 500 Colorado residents or more, the entity also must provide notice of the breach to the Colorado Attorney General.

And, unlike the previous law, the 30-day period begins to run when the covered entity becomes aware that a “security breach may have occurred.” In the prior version of the law, the 30-day period did not begin to run until the covered entity became aware of a breach. This change is likely to increase the pressure on covered entities to timely respond to indicators and predictors of a security breach. 

Sanctions 

Employers who violate the law can face enforcement proceedings from the Colorado Attorney General or the district attorneys of the state. These proceedings can result in civil penalties of up to $2,000 per affected person, up to a maximum of $500,000 per incident. They also can be liable directly to affected persons who are harmed by the violation.

Steps for Employers to Take

The new data security requirements go into effect on September 1, 2018, so employers who maintain personal identifying information on Colorado residents have little time to prepare to comply. Steps to take include:

  • Develop and implement reasonable practices designed to protect personal identifying information from unauthorized access, use, or disclosure (e.g., password-protection, encryption, etc.) that are commensurate with the sensitivity of the personal identifying information.
  • Create a written policy regarding the destruction and disposal of paper and electronic documents containing personal identifying information.
  • Review agreements with third-party service providers to ensure that service providers have reasonable procedures to protect the security of personal identifying information provided to them.
  • If you have a security incident response plan, update it to reflect the changes in the law.
  • If you do not have a security incident response plan, prepare one to ensure that you can meet the new law’s notification requirements.