0
New York Employee Electronic Monitoring RuleNew York’s New Rules on Employee Electronic Monitoring

New York’s New Rules on Employee Electronic Monitoring

On November 8, 2021, New York Governor Kathy Hochul signed into law Senate Bill 2628 / Assembly Bill 430, making New York the third state, following  Connecticut and Delaware, to require employers to provide notice of electronic monitoring to employees.

 

Who is covered?

The new law defines employers as “any individual, corporation, partnership, firm, or association with a place of business in the state.” The definition does not “include the state or any political subdivision of the state.”

 

What is required?

“Any employer who monitors or otherwise intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems, shall give prior written notice upon hiring to all employees who are subject to electronic monitoring.”

Such notice must be: (1) in writing, in an electronic record, or in some other electronic form; (2) acknowledged by the employee either in writing or electronically; and (3) conspicuously placed and readily available for employees.

Please note that the requirements of this new law do not apply to electronic mail, telephone, and internet usage processes that are “performed solely for the purpose of computer system maintenance and/or protection.”

 

Enforcement

The new law allows for enforcement by the attorney general. The maximum civil penalty for the first offense is $500. The maximum civil penalties for the second and third offenses are $1000 and $3000, respectively.

 

Effective Date

This new law takes effect on May 7, 2022.

Considering the evolving legal landscape and impending laws such as the recent employee electronic monitoring law enacted in New York, the Beckage Compliance team recommends that companies review existing policies and procedures.  Employee notices, Acceptable Use policies, and Employee handbook provisions are among the items that should be reviewed annually to be sure the representations align with any new legal obligations. Companies should also review employee login banners as well as evaluate and audit the process for tracking and documenting employee acknowledgment.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

 

OCCFDIC Final Rule for Banking Organizations Notification RequirementsOCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

OCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

On November 18, 2021, the three primary banking regulatory agencies — the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) – jointly approved a final rule with two distinct notification requirements:

  • The rule requires “banking organizations” to notify their primary federal regulator of any significant “computer-security incidents” as soon as possible and no later than 36 hours after the bank determines a “notification incident” has occurred.
  • The rule also requires “bank service providers” to notify any affected banking organization customer of “computer-security incidents” that has “caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

The rule became effective on April 1, 2021, and requires compliance by May 1, 2022.

 

Who is subject to the rule?

As explained above, the rule imposed distinct requirements “banking organizations” and “bank service providers.”

Banking organizations” generally include any organization that is regulated by the OCC, the Board, or the FDIC. Specifically:

  • For the OCC: “national banks, federal savings associations, and federal branches and agencies of foreign banks.”
  • For the Board: “all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations.”
  • For the FDIC: “all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations”

The rule expressly excludes designated financial market utilities (“FMUs”) from its definition of “banking organization” and “bank service provider.” See 12 U.S.C. § 5462(4). To the extent an FMU is supervised by the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”), the FMUs are subject to any notification requirements imposed by those agencies. See e.g., SEC Reg. SCI, 17 CFR 242.1000 (SEC); 17 CFR 39.18(g) (CFTC).

When making the rule, the agencies also considered a rule being on “additional entities, such as financial technology firms and non-bank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms.” In the end, the agencies simply concluded that the definition of banking organization under the rule was “consistent with the agencies’ supervisory authorities.”  To the extent that a banking organization is required to make a notification under the rule, that notification must go to the agency with primary regulatory oversight over the organization.

A “Bank Service Provider” includes persons and companies performing “covered services” subject to the Bank Service Company Act, 12 U.S.C. 1861-1867 (“BCCA”). The definition is vague, but the Agencies’ rulemaking explains that the purpose of the definition was to encompass any company that provides services to a banking organization that could be involved in a service disruption.

 

When is notification required?

The respective notification requirements applicable to Banking Organizations and Bank Service Providers are based on the occurrence of a “Computer Security Incident.” For consistency, the Agencies adopted the same definition of “Computer Security Incident” as provided by the National Institute of Standards and Technology (“NIST”). Thus, a “computer-security incident” is “an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.

 

Banking Organizations

Bank Organizations must provide notification to their regulating agency when a “computer-security incident” rises to the level of a “notification incident.” A notification incident is a “computer-security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Business line(s) (any product or service that serves or supports business needs), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • Operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The definition of “notification incident” is broad enough to encompass any computer-security incident that impacts the banking organization’s general operations. As a practical matter, a banking organization will want to provide notification for any computer security incident that is likely to materially disrupt its operations or services to ensure compliance.

The banking organization must provide notice to the appropriate agency “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”

 

Bank Service Providers

Bank Service Providers’ notification requirement is triggered by the occurrence of the computer-security incident that has or is reasonably likely to “materially disrupt or degrade” the services it provides the bank for four or more hours. The rule makes clear that scheduled maintenance, testing, or software updates that have been previously communicated to the banking organization are not subject to the rule’s notification requirement.

The bank service providers must provide notification to the designated point of contact at each banking organization at which any customer will be impacted by the bank services provider’s degradation or disruption of service. The bank service providers must provide notification “as soon as possible.”

 

Takeaways

The joint new rule from OCC, Board, and FDIC is consistent with a recent trend of varying state and federal regulatory bodies imposing independent notification obligations related to a data incident.

The imposition of new notification requirements may lead to the imposition of inconsistent notification requirements (e.g., the Agencies’ rule conflicts with the state incident notification laws). The rule could place the banking organizations between a rock and a hard place. For example, the banking organization could determine that notification is required under the new rule but may need additional time to determine if notification to state agencies and customers is necessary. The perceived delay may serve as a justification for the imposition of fines or to support a theory of liability in litigation related to the incident.

The proper timing for notification will always be a case-by-case decision. Banking organizations and bank service providers should work closely and proactively with experienced incident response counsel to ensure compliance with notification laws and to mitigate against creating any bases for the imposition of penalties or civil liability.

Beckage closely monitors developments in laws and regulations governing cybersecurity. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.


Sources: 12 C.F.R. Part 53; 12 C.F.R. Part 255; 12 C.F.R. Part 304

Copy of the final rule: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf

0
Florida Changes its Telemarketing LawsFlorida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Florida Imposes Stricter Restrictions for Telemarketers – Changes to the TCPA Landscape

Recently, the State of Florida amended its laws governing telemarketing that have a strong impact on telemarketing and text message marketing targeting Florida residents (and to Florida area codes). These include the amended Florida Do-Not-Call Act (Fla. Stat. Ann. § 501.059) and the Florida Telemarketing Act a/k/a Florida’s “Mini-TCPA” (Fla. Stat. Ann. 502.601, et seq.) (collectively “Florida Laws”).

Impacts of the Florida Laws

The Florida Laws provide a right of action similar to those under the Telephone Consumer Protection Act (“TCPA”). (See Beckage’s article for more information about the TCPA and considerations for text marketing).  Importantly, the Florida Laws create stricter restrictions on telephone solicitations (i.e., sales calls) and commercial telephone calls than those under the TCPA, TCPA regulations, and recent caselaw.

More Complex Restrictions to Navigate

The Florida Laws include requirements that deviate from or are more restrictive than those under the TCPA, TCPA regulations, and recent caselaw (in particular, the U.S. Supreme Court’s recent narrow interpretation of “automatic telephone dialing system” or ATDS). (See Beckage’s article on the SCOTUS decision here).

The Florida Laws are a hot topic and growing concern for businesses, including the contact center industry. On behalf of this industry, the Enterprise Communications Advocacy Coalition (ECAC) recently filed a petition asking the Federal Communications Commission (FCC) to interpret and preempt certain provisions of the Florida laws that “create a more restrictive environment” than the TCPA and TCPA Regulations and “frustrate the federal objective of creating uniform national rules and therefore must be preempted.” See

The most prominent aspects of the Florida Laws that have the potential to impose more restrictive requirements include:

1. Requirements Extend to Florida Residents & Florida Area Codes

The Florida Laws create a rebuttable presumption that telephonic sales calls made to any area code in Florida are made to residents or persons within the state at the time of the call.

 

2. Call Time Restrictions Changed

The times restrictions under the Florida Laws narrow the permissible call time window period by one hour (from 9 p.m. to 8 p.m.). This one-hour reduction arguably places an increase costs burden, in particular – on telemarketers.

 

3. New Three Call Frequency Limit

The Florida Laws include a call frequency limit of three “commercial solicitation phone calls” in a 24-hour period on the same subject matter/issue from any number. Imposing this limit when the TCPA does not include a similar limitation could impact telemarketers conducting nationwide calling campaigns.

 

4. Caller ID Restrictions Changed

The Florida Laws ban the use of technology that “deliberately displays” different caller ID number to conceal the true identity of the caller. This arguably conflicts with the FCC’s TCPA regulations that permit the use of such technology subject to conditions.

 

5. Automated Equipment/System Undefined & Broader Than ATDS

Under the Florida Laws the term automated system/equipment is not defined and arguably broader than the recent narrow interpretation of ATDS under the TCPA. This could open the door wider for litigation in Florida.

 

Private Right of Action & Potential Lawsuits   

The amended Florida Do-Not-Call Act creates a private right of action for a called party to sue and recover actual damages, or $500 per violation (whichever is greater) plus attorney’s fees and costs.

Tighter restrictions coupled with the private right of action may lead to increased litigation related to telemarketing and text messaging activities targeting Florida residents or area codes.  A series of civil actions (over 30) were filed since the Florida Laws took effect on July 1st, most dismissed or currently pending.  The Beckage team is watching these cases carefully.

 

Next Steps for Businesses Marketing to Florida Residents or Florida Area Codes 

As we continue to watch the response to the Florida Laws, marketing teams can take the steps below now to address and incorporate applicable requirements and help mitigate legal risk.

  • Review telemarketing and text marketing practices in light of Florida restrictions
  • Update policies and procedures to comply with Florida requirements
  • Update automated dialing systems/equipment to meet Florida requirements
  • Conduct due diligence/review of vendor systems/equipment used and evaluate compliance with Florida requirements
  • Keep an eye out for a potential increase in litigation

Managing compliance of telemarketing and text message marketing remains a complex issue and the emergence of state-specific requirements such as those under the Florida Laws adds an additional layer of complexity. Businesses should remain proactive and vigilant in maintaining compliance best practices for telemarketing and text message activities.  The Beckage team has deep experience guiding marketing teams and organizations managing compliance and litigation matters under the full spectrum of laws and regulations governing telemarketing and text message marketing.

For more information regarding the Florida Do-Not-Call Act, Florida Telemarketing Act, the TCPA, or related marketing questions email Beckage Member Myriah Jaworski at mjaworski@beckage.com

*Attorney Advertising: Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

 

 

 

0
What's next for UK Data Privacy?UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

On November 10, 2021, a unanimous decision by the UK’s Supreme Court in Lloyd v. Google in favor of Google rejects an attempt to bring opt-out class action cases for data privacy claims in the UK.

In the UK, a robust class action regime for the field of data protection does not currently exist, and the Lloyd decision reflects a rejection of class action or representative actions in the data privacy realm Unlike the UK, a class action regime that allows for mass claims (including opt-out cases) has long existed in the US. Further, class action claims in the US have extended beyond traditional privacy tort claims to other claims related to data privacy (e.g., for violations of consumer protection laws and recently enacted data privacy laws such as the CCPA).

Background of Lloyd v. Google LLC  

Plaintiff Richard Lloyd filed an opt-out mass privacy action in English courts against Google relying on an old Civil Procedure Rule 19.6 which permits representative actions. Lloyd sought to bring the mass privacy action on behalf of 4.4 million allegedly affected iPhone users as a representative action for breach of Section 4(4) of the Data Protection Act 1998 (“DPA”).

Lloyd alleged that Google had breached its duties as a data controller under Section 4(4) of the DPA. Google allegedly used a workaround to capture user browser data from iPhone users when visiting a site with Google content after Apple enabled the automatic blocking of third-party cookies in its Safari browser. Lloyd alleged that the use of Google’s Safari workaround secretly tracked and captured data from millions of Apple iPhone users (between late 2011 and early 2012) without the users’ knowledge or consent.

Further, Lloyd argued that an individual is entitled to compensation under Section 13 of the DPA whenever a data controller fails to comply with any of the requirements of the DPA in relation to that individual’s personal data without proof of damages, provided that the breach is not trivial or de minimum. Lloyd sought a uniform amount of damages for all individuals without proving damage for all on basis of “loss of control” (or “user”) damages, a lowest common denominator of loss suffered by every individual by reason of the breach. Lloyd argued that because the loss of control of data has value, the users were entitled to compensation for that value of that loss.

In the High Court, Lloyd had to show a reasonable prospect of success to serve Google out of jurisdiction to move the case forward.  Google contested Lloyd’s claim on two grounds:

  • damages cannot be awarded under the DPA for “loss of control” of data without proof that it caused financial damage or distress; and
  • the claim, in any event, is not suitable to proceed as a representative action.

The High Court held in favor of Google on both issues and refused permission to serve Google.

Then, Lloyd appealed and the Court of Appeals which allowed it, reversed the High Court’s decision, and granted permission to serve Google.

Finally, Google appealed to the Supreme Court where the case captured more attention and triggered various intervening parties including UK’s Information Commissioner’s Office (ICO).

UK Supreme Court Decision

The issue brought before the Supreme Court on whether Lloyd should have been refused permission included three key questions:

  • Whether members suffered damages within the meaning of section 13 of the DPA 1998?
  • Did the class share the “same interest,” as required for a representative action to proceed?
  • Should the court exercise its discretion to disallow the representative action?

1. Damages for Loss of Control

The Supreme Court rejected Lloyd’s argument that “loss of control” damages without proof was within meaning of the DPA.    

Meaning of Damages

The Supreme Court held that to recover compensation under the DPA proof of material damage or distress are required: “to recover compensation [under the DPA] for any given individual, it would be necessary to show both that Google made some unlawful use of personal information relating to that individual and the individual suffered some damage as a result.”

The Supreme Court considered the wording of Section 13 of the DPA which states that a person who suffers damage from contravention by a data controller of any requirements of the act (or damages suffered from distress meeting specific conditions of Section 13) is entitled to compensation for that damage or distress.  It also noted that the intent behind the wording of Section 13 of the DPA was to implement Article 23 of the GDPR which provided compensation from a controller for damages suffered, i.e., material damage.

Thus, requiring only proof of breach would be inconsistent with the DPA.

Loss of Control Damages for Data Protection Violation

Lloyd argued that the same rule for “loss of control” or “user” damages without proof of damages permitted for claims for the tort of misuse of private information should apply to the claim for the violation of the DPA. Lloyd claimed this was appropriate because they are based on the same right to privacy.  In the tort cases, loss of control compensation was available for wrongful use of property, even without financial/physical damage.

The Supreme Court rejected Lloyd’s argument that the same rules for loss of control or user damages should apply. It emphasized distinctions between the common law tort claim of violation of privacy for misuse of private information a claim for a violation of a data protection law (e.g., the tort claim requires a reasonable expectation of privacy).  Further, the court noted that Lloyd did not bring a claim for misuse of the data collected by Google but rather a violation of the DPA.

Thus, loss of control damages without proof did not apply.

2. Representative Action

Most critically, the Supreme Court found that a representative action, in this case, would fail.

The Supreme Court held that recovery under the DPA requires proof of unlawful use and material damage or distress suffered as a result. The Supreme Court said that Lloyd had to show that each of the individuals of the class had both suffered a breach and suffered damages as a result of that breach. Thus, the use of a representative action as a method for recovery without proving either will fail.

In the decision, the Supreme Court rejected the argument for a representative action for breach of the DPA. Further, the Supreme Court determined that a representative action for damages without an individualized assessment for damages would fail.

Representative Action for Breach – Same Interest Test

The Supreme Court evaluated the representative action to establish breach of the DPA and entitlement to compensation based on that breach. The CPR 19.6 permits claims to seek recovery on behalf of a group of individuals where all individuals have “the same interest” in the claim. The court noted that the CPR 19.6(1) requires proof that all individuals  have the “same interest” in claim as the representative and this test was not met.

However, the court noted that Lloyd could have framed the claim differently and adopted a bifurcated process for the representative action under the Act and individual claims for damages separately. As Lloyd did not seek a bifurcated action, the Supreme Court stated that the only other option for Lloyd was a representative action for damages.

Representative Action for Damages – Uniform v. Individual

The Supreme Court evaluated a representative action for damages and Lloyd’s claims for damages for each class member on “uniform per capita basis.” The court stated that this option fails because the effect of Safari Workaround was not uniform across the class and likely varied by types of users (i.e., super/heavy users v. limited users) and different types and amounts of affected data. Thus, individualized assessment of damages would be required for all class members.

Lloyd argued for no assessment requirement relying on the proposition that the class was entitled to compensation for any (non-trivial) contravention of DPA without the need to prove individual damages. Lloyd argued that all members suffered a loss (damages or distress under the Art) based either on general damages on uniform per capita basis, or the amount that could reasonably be charged for releasing Google from duties.  The Supreme Court rejected both arguments.

Key Takeaways

The Supreme Court unanimously allowed Google’s appeal and restored the dismissal of the case by the High Court.

This decision provides some key takeaways:

  • Claims for Violations of the DPA:
    • Proof of material damages or distress are required for claims for violation of the DPA brought by individuals and groups
    • Representative actions are not suitable for claims for violation of the DPA without evidence of misuse or material damages/distress
  • Other Mass Privacy Claims:
    • Opt-out representative action for damages requires an individualized assessment of damages

Further, the Supreme Court’s decision to reject Lloyd’s attempt to bring an opt-out case against Google shows that opt-out representative actions are likely not possible (or at least very difficult) for data protection actions.

How will this impact future data privacy claims in the UK?

This much anticipated and landmark decision will drastically reduce the number of mass privacy claims brought in the UK due to the heightened evidentiary burden, and deter cases where only minimal evidence of harm as a result of breach exists.

For plaintiffs/claimants, this decision makes it even more difficult for individuals and class counsel to bring a mass privacy claims in the UK without obtaining proof of damages for all potential class members. This could be costly and likely deter many cases but does not completely prevent these types of cases where individuals have suffered actual damages.

For businesses, this decision provides some relief from potential frivolous claims or claims lacking evidentiary support for businesses processing personal information in or about individuals in the UK.

Other pending potential representative actions (awaiting this decision) will likely be prevented from moving forward in UK courts.   However, note, the Lloyd decision focused on the DPA as applied during the claim period (2011 to 2012) and not recent developments in the data privacy framework in the UK (i.e., updates to the DPA and the UK GDPR).

Even in light of the Lloyd decision, the international data privacy landscape remains complex.  Beckage works with its clients on developing international privacy compliance strategies and programs to implement proactive measures to protect personal data and thus reduce the risk of litigation.  Our team of experienced attorneys, who are also devoted technologists, are specially equipped with the skills and experience necessary to provide guidance to navigate the complexities of international privacy frameworks and handle any resulting enforcement actions or litigation matters.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes. 

 

0
New Federal COVID-19 Vaccination Policies Trigger Data Privacy ConsiderationsNew Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

New Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

UPDATE:  On November 6th, the U.S. Court of Appeals for the Fifth Circuit issued a temporary stay of OSHA’s latest vaccine rules in BST Holdings, L.L.C., et al. v. OSHA, noting that “there are grave statutory and constitutional issues with the Mandate.” On November 12th, the Fifth Circuit issued an order in continuance of its November 6th stay, stating that enforcement of OSHA’s latest vaccine rules “remains STAYED pending adequate judicial review of the petitioners’ underlying motions for a permanent injunction.” The Fifth Circuit further ordered “that OSHA take no steps to implement or enforce the Mandate until further court order.”

However, with several other similar lawsuits pending in other federal circuits, the Judicial Panel on Multidistrict Litigation has selected, by lottery on November 16th, the U.S. Court of Appeals for the Sixth Circuit to be the tribunal to hear the consolidated cases. The Sixth Circuit will thus have the authority to issue the controlling opinion on OSHA’s latest vaccine rules, though many expect litigation to continue up to the Supreme Court of the United States for a final decision.

Businesses should stay up to date with current developments regarding OSHA’s latest vaccine rules and related lawsuits and should understand existing and intended data collections practices within their organizations.  Evaluating what is being collected, how it is being retained, how this information can be accessed and by whom remains a very important part of an organization’s data security and privacy infrastructure in light of this climate. The Compliance Team at Beckage is experienced in navigating such changes and can assist businesses with their data security and privacy programs as the landscape continues to evolve within the next couple of months.

Email Beckage Privacy Compliance Team Lead Kara L. Hilburger, Esq., (CIPP/US)  at khilburger@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in this space.

Continue reading initial post regarding The OSHA Rule below.


11-8-2021

On Thursday, November 4, 2021, the Occupational Safety and Health Administration (OSHA) published an Interim Final Rules (OSHA Rule) requiring employers with 100 or more employees to implement plans to confirm employees are vaccinated, and if not to test their employees weekly and require face masks. The OSHA Rule, published in the Federal Register on November 5, 2021, requires employers subject to the OSHA Rule to implement testing protocols for unvaccinated employees starting January 5, 2022.

Although the Fifth Circuit Federal Court of Appeals temporarily blocked the OSHA Rule on November 6, 2021, employers should still prepare a plan in the event the OSHA Rule is not permanently blocked given the pending compliance deadlines. This may require employers to revise existing procedures or create new policies and procedures. As employers develop and implement these policies, it’s important to carefully consider data privacy and security implications of maintaining this sensitive information about employees.

Below are just a few questions employers should ask as they develop these new policies.

Does the OSHA rule apply to me?

The answer depends on your company’s size, operation, and industry. Importantly, the new OSHA Rule does not apply to health care providers, which have even more stringent rules announced by the Centers for Medicare and Medicaid (CMS) on the same day.  The OSHA Rule applies to businesses with 100 or more employees.  To determine whether an employer meets this 100-person threshold, companies should count all full- and part-time employees at all locations and worksites. Employers do not have to count employees who are contractors, employees from a staffing agency, or franchisee employees if the employer is the franchisor.

What does the OSHA Rule require?

Employers that are subject to the OSHA Rule must:

  • Determine vaccination status. Determine the vaccination status of each employee, accept proof of vaccination, and maintain records of each employee’s vaccination status. The OSHA Rule outlines forms of acceptable proof of vaccination, which includes COVID-19 Vaccination Record Cards, a copy of medical records documenting vaccination, and employee attestations in limited circumstances.
  • Test unvaccinated employees and require masks. If an employer elects to not mandate COVID-19 vaccinations, the company must test each employee who is not fully vaccinated at least once every 7 days. If an employee has not been tested within a 7-day period, the employee must telework for two weeks before reporting back to a location with other employees and be tested within 7 or fewer days before returning. Employees will have to provide documentation of their test results and employers must maintain these test result records. Unvaccinated employees must wear face masks at the workplace.
  • Require employees to notify the employer of a positive COVID test or diagnosis. Companies must require employees to provide prompt notice of positive COVID-19 tests and diagnoses and take steps to remove them from the workplace until they meet the criteria for returning.

Are there any exceptions?

Yes. The OSHA Rule does recognize certain exceptions and exemptions to these requirements.

  • Employees who work exclusively remotely or at outside locations are not subject to the requirements.
  • The OSHA Rule also does not apply to workplaces covered by the Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors.
  • The OSHA Rule does not apply to health care providers, which are covered by the CMS interim final rule.
  • The OSHA Rule has exceptions for employees who cannot receive the vaccine for medical reasons, or who are legally entitled to a reasonable accommodation under federal civil rights laws because of disability or sincerely held religious beliefs that conflict with the vaccination requirement.

Do I need to provide paid leave for vaccinations?

Yes. Companies subject to this rule must provide employees with up to four hours of paid time to receive their vaccination. They must also allow for reasonable time and paid sick leave for the employee to recover from vaccine side effects.

Do I need to pay for the cost of testing if an employee isn’t vaccinated?

No, the OSHA Rule does not require covered employers to cover the costs of testing. However, other laws, regulations, collective bargaining agreements, or collective negotiation agreements may require the employer to pay for testing.

How does the OSHA rule impact state vaccination and testing laws?

The OSHA Rule pre-empts any state law that has less restrictive standards regarding vaccination and testing for COVID-19 in the workplace. States can impose greater vaccination requirements; for example, some employers may be subject to state laws that do not include medical or religious exceptions.

What needs to be addressed in the vaccination policy?

Companies must develop, implement, and enforce mandatory policies that address COVID-19 vaccination procedures or mandatory testing if the company does not mandate vaccinations.  These policies must be provided to employees in a language and literacy level that employees understand.

Are there any additional documentation and reporting requirements?

Yes. Companies must provide employees and their designated representatives with their vaccination and testing records by the end of the next business day following the request for such records. Companies must also be able to provide policies and procedures to OSHA within four business hours and must provide an aggregate number of total vaccinated employees upon request by the next business day.  Finally, companies must report work-related COVID-19 fatalities to OSHA within 8 hours of learning about them. Covered employers must report a COVID-19 related in-patient hospitalization within 24 hours of learning about it.

Are there penalties for non-compliance?

OSHA Officials have stated they will use OSHA’s authority to inspect workplaces and investigate complaints received from employees. Failure to comply with OSHA regulations can lead to a $13,653 penalty per violation for serious or failure to abate violations and a $13,532 per violation for willful or repeated violations.

How should companies prepare?

Companies subject to the OSHA Rule should review the new requirements and develop a strategy on how to document and implement the mandatory procedures most effectively and efficiently. The new rule requires employers to collect and maintain sensitive employee data. Policies and procedures addressing how these records will be maintained and protected will be necessary, and in tandem with developing procedures, companies may want to evaluate whether they need to update record retention procedures and determine whether existing data security and privacy protocols are sufficient.  It is also recommended that companies work with legal counsel to review whether and how state laws interplay with the new OSHA requirements.  Many state laws have statutes and regulations requiring companies to safeguard medical information held on behalf of clients and employees. This is particularly important for employers that have not previously held sensitive employee information such as health records and may not have proper procedures in place for safeguarding such records.

Beckage continues to monitor this evolving landscape and provide updates on important topics that impact data privacy and security, which have a very real impact on business operations. Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment. Our team is available to assist your team in the evaluation of legal implications of current requirements and legislative changes in the data privacy field.

Email Beckage Health Law Team Lead Sarah L. Rugnetta, Esq., (CIPP/E) at srugnetta@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

1 2