Client Alerts, News Articles & Blog Posts

Everything you need to know about BMD and the industry.

Five Things That Owners and Boards Need to Know About Privacy and Cybersecurity Compliance

Do you serve on a Board of Directors or serve in a similar advisory capacity for a company or organization? Do you own your own business? Here are five things you should know about privacy and cybersecurity compliance.

  1. Upholding Your Fiduciary Duties

As a fiduciary of an organization, you may already know that you have a duty of loyalty and duty of care, including the duty to keep investors and owners informed of the cybersecurity risks of the organization. You also have the duty to protect the organization from undue risk, balancing the organization’s ability to conduct its operations with appropriate levels of risk mitigation strategies.

  1. Basic Knowledge of Privacy and Cybersecurity Issues

To properly fulfill your fiduciary duties, you need to obtain and maintain a basic knowledge of cybersecurity and privacy issues and risks facing the organization. Lack of understanding is not an excuse, and it is expected that Boards familiarize themselves with the cybersecurity efforts in the organization, champion and drive the organization’s commitment to ensure adequate cybersecurity protections are established and maintained. Board members and owners are also strongly encouraged to engage in the organization’s training and awareness campaigns and gain additional awareness as it relates to advising organizations effectively.

  1. Maintain the Company’s Reputation and Public Perception

Privacy and cybersecurity compliance builds the foundation of trust and reinforces an organization’s reputation for honoring the privacy expectations of both customers and business partners. A company’s character and brand are driven by industry expectations, treatment of customer data, legal requirements and product development. Mishandling a security breach can have devastating effects on the organization’s reputation, financial, operational and other aspects of the business. Many companies do not recover from a data breach due to the lack of proper advance planning and proper oversight.

  1. Watchdogs

In the United States alone, there are several different government authorities that maintain varying levels and scopes of authority over organizations with respect to privacy and cybersecurity issues, including the Securities and Exchange Commission, Federal Trade Commission, Department of Justice, Federal Sentencing Commission, and State Attorneys General, to name a few. There are also non-governmental watchdogs, from privacy advocacy groups who lobby for stricter laws and regulations and plaintiffs’ attorneys who bring actions against organizations that fail to comply with laws and regulations as well as organizations’ own stated privacy practices.

  1. Board Personal Liability

Breaches of fiduciary duties can be a slippery slope: subjecting board members to personal liability if the failure to exercise a minimum level of care, such as ignoring cybersecurity risks of the organizations, delegating responsibility without oversight, and lack of proper skill or training to properly advise the organization in these matters. Penalties can range from debarment from eligibility to bid on future federal contracts, large fines and jail time for individuals.

What Owners and Board Members can Do Today:

  • Call your insurance provider:
    • Do you have a cyber insurance policy?
    • Understand what is covered and make sure that the coverage is appropriate for your business risks.
  • Meet with your technology experts to talk about current protections and risks that they are aware of. Understand where there may be gaps in current protections from a technology perspective and what recommendations the technology experts have to fill those gaps.
  • Consult with legal counsel to identify the laws and regulations that apply to your business related to privacy and cybersecurity compliance.
  • Assemble a cross-functional team of internal and external subject matter experts and professionals who handle critical data of the company to form a privacy steering committee. The Committee’s core responsible should be implementing and maintaining a compliance program that addresses the company’s privacy and cybersecurity risks.

Need conversation starters about privacy and cybersecurity for your board or organization? Contact Partner Allison Cole at aecole@bmdllc.com to discuss ways to address this important topic for your business.

The Masks Are Back: New OSHA Regulations for Healthcare Employers

Employment Law After Hours is back with a News Break Episode. Yesterday, OSHA published new rules for healthcare facilities, including hospitals, home health employers, nursing homes, ambulance companies, and assisted living facilities. These new rules are very cumbersome, requiring mask wearing for all employees, even those that are vaccinated. The only exception is for fully vaccinated employees (2 weeks post final dose) who are in a "well-defined" area where there is no reasonable expectation that any person with suspected or confirmed COVID-19 will be present.

New OSHA Guidance for Workplaces Not Covered by the Healthcare Emergency Temporary Standard

On June 10, 2021, OSHA issued an Emergency Temporary Standard (ETS) for occupational exposure to COVID-19, but it applies only to healthcare and healthcare support service workers. For a detailed summary of the ETS applicable to the healthcare industry, please visit https://youtu.be/vPyXmKwOzsk. All employers not subject to the ETS should review OSHA’s contemporaneously released, updated Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace. The new Guidance essentially leaves intact OSHA’s earlier guidance, but only for unvaccinated and otherwise at-risk workers (“at-risk” meaning vaccinated or unvaccinated workers with immunocompromising conditions). For fully vaccinated workers, OSHA defers to CDC Guidance for Fully Vaccinated People, which advises that most fully vaccinated people can resume activities without wearing masks or physically distancing, except where required by federal, state, or local laws or individual business policies.

Employer Liability for COVID-19 Vaccine Side Effects

As employers encourage or require employees to obtain a COVID-19 vaccine, they should be aware of OSHA recording obligations and potential workers’ compensation liability. Though OSHA has yet to revise its COVID-19 guidance in response to the latest CDC recommendations, OSHA has revised its position regarding the recording of injury or illness resulting from the vaccine. Until now, OSHA required an employer to record an adverse reaction when the vaccine was required for employees and the injury or illness otherwise met the recording criteria (work-related, a new case, and meets one or more of the general recording criteria). OSHA has reversed course and announced that it will not require recording adverse reactions until at least May 2022, irrespective of whether the employer requires the vaccine as a condition of employment. In its revised COVID-19 FAQs, OSHA states:

The New Rule 1.510 - Radical Change for Summary Judgement Procedure in Florida

In civil litigation, where both sides participate actively, trial is usually required at the end of a long, expensive case to determine a winner and a loser. In federal and most state courts, however, there are a few procedural shortcuts by which parties can seek to prevail in advance of trial, saving time, money and annoyance. The most common of these is the “motion for summary judgment”: a request to the court by one side for judgment before trial, generally on the basis that the evidence available reflects that a win for that party is legally inevitable and thus required. Effective May 1, 2021, summary judgment procedure in Florida has radically changed.

Vacating, Modifying or Correcting an Arbitration Award Under R.C. 2711.13: Three-Month Limitation Maximum; Not Guaranteed Amount of Time

In a recent decision, the Supreme Court of Ohio held that neither R.C. 2711.09 nor R.C. 2711.13 requires a court to wait three months after an arbitration award is issued before confirming the award. R.C. 2711.13 provides that “after an award in an arbitration proceeding is made, any party to the arbitration may file a motion in the court of common pleas for an order vacating, modifying, or correcting the award.” Any such motion to vacate, modify, or correct an award “must be served upon the adverse party or his attorney within three months after the award is delivered to the parties in interest.” In BST Ohio Corporation et al. v. Wolgang, the Court held the three-month period set forth in R.C. 2711.13 is not a guaranteed time period in which to file a motion to vacate, modify, or correct an arbitration award. 2021-Ohio-1785.