Fortunately, although Idaho’s vaccination rate remains relatively low, COVID numbers are dropping dramatically. Businesses are reopening and people are gathering again. Some employees may return to physical workspaces; some may continue to work remotely. As Idaho continues to reopen, companies must address employee safety pertaining to COVID-19 exposure and vaccinations.
Companies must also attract and retain qualified employees. Competition for good employees is fierce. Idaho’s seasonally adjusted unemployment rate in April was 3.1%. Some businesses are closing because they cannot find the qualified employees they need to operate.
Given these dual concerns of potential safety and scarcity of employees, private companies should endeavor to encourage, if not require, vaccinations for returning employees to attract and retain the best talent.
Patchwork of Employment Protection Laws
Well before the pandemic, businesses have had to comply with employee protection laws at both the federal and state level.
On the federal level, the Equal Employment Opportunity Commission (EEOC) is tasked with enforcing laws against discrimination in the workplace, such as the Americans with Disability Act (ADA) and the Rehabilitation Act (essentially the ADA for federal agencies, federal programs, businesses receiving federal financial assistance and federal contractors), Title VII of the Civil Right Act and its various amendments (Title VII) (prohibiting discrimination based on race, color, national origin religion, sex, and pregnancy), the Age Discrimination in Employment Act (ADEA) (prohibiting discrimination based on age, 40 or older), and the Genetic Information Nondiscrimination Act (GINA) (prohibiting discrimination based on genetic information in health coverage and employment).
Also on the federal level, the Occupation Health and Safety Administration (OSHA) is the federal agency responsible for ensuring safe and healthful workplaces and has long required companies to implement measures to keep employees safe. Idaho does not have a federally approved occupational safety and health regulatory program; private sector employers must comply with OSHA’s federal standards.
Companies also must contend with state oversight. Every state has its own agencies tasked with oversight of discrimination and safety in the workplace. In Idaho, the Idaho Human Right Commission was established by the legislature to help protects persons, including employees, from illegal discrimination. The Commission relies heavily on EEOC guidance in addressing claims of workplace discrimination.
Employment Protection Laws and Vaccinations
In responding to the public health issues wrought by the pandemic, companies still must comply with employee protection laws. Understanding how these laws intersect with COVID-19 vaccinations will help companies not only keep their employees safe but also protect against unwanted liability exposure.
Since March 2020, when the United States began to shut down, the Equal Employment Opportunity Commission (EEOC) has been clear that employee protection laws like the ADA and Title VII do not interfere with or prevent businesses from following the guidelines and suggestions made by the Center for Disease Control (CDC) or state and local public health authorities implemented for public safety reasons. However, the EEOC has warned that businesses must follow those public safety guidelines in a manner that does not violate employee protection laws.
With vaccination rates nationwide reaching fifty percent (50%), in late May 2021, the EEOC updated its COVID-19-related guidance to address and respond to the wave of workers who will be returning to work—some who will be vaccinated and others who will not. In that guidance, the EEOC makes clear that, under certain circumstances, companies can require their employees be vaccinated before returning to work. The EEOC also states that companies may offer incentives to employees to encourage they get vaccinated. Yet again, however, the EEOC cautions that companies implementing these requirements and incentives must do so in a manner that complies with existing employee protection laws.
The ADA and Title VII
As companies address whether and how to implement a vaccination policy, they will encounter employees who claim they cannot get a vaccine because they are disabled or hold a sincerely held religious belief. Companies should have policies in place that treat those employees fairly and consistently with applicable employee protection laws.
Under the ADA, if companies do require vaccinations or offer incentives, they must do so in a way that is job-related and consistent with business necessity, and that provides reasonable accommodation if an employee cannot get vaccinated due to a disability. Given the still-present risk of COVID-19 (and potential variants), a vaccination policy will almost always be considered job-related or consistent with business necessity. Thus, under the ADA, companies may be required to provide reasonable accommodation if an employee claims he or she cannot get vaccinated due to a disability.
Under Title VII, if an employee elects not to be vaccinated based on a sincerely held religious belief, a company may also be required to provide a reasonable accommodation.
Under either law, a company need not provide a reasonable accommodation if to do so would impose a direct threat to the health and safety of the employee and other workers or an undue hardship.
What is a Reasonable Accommodation?
The law defining a sincerely held religious belief or disability is complicated. Companies must take seriously any request for an accommodation by one of their employees. We recommend that, should companies decide to implement a vaccination requirement, those companies notify all employees, in writing, that they will consider requests for reasonable accommodation on an individualized basis.
While the type and manner of reasonable accommodations vary depending upon each situation, some typical accommodations for those who are not vaccinated may include:
What is a Direct Threat that Might Eliminate the Obligation to Provide Reasonable Accommodation for a Disability?
For those employees that claim they are disabled, a company may not be required to provide a reasonable accommodation if the employee would pose a “direct threat” to the health and safety of himself or herself or those in the workplace that cannot be eliminated or reduced by reasonable accommodation. 29 C.F.R. 1630.2(r). Whether an employee poses a “direct threat” depends on whether that employee can safely perform the essential functions of the job. That determination considers many factors which include the type of work environment and the likelihood and imminence of potential harm in that work environment. A “direct threat” assessment should be based on reasonable medical judgment that relies on current medical knowledge about COVID-19.
What is an Undue Hardship That Might Eliminate the Obligation to Provide a Reasonable Accommodation for A Disability or Sincerely Held Religious Belief?
A company may also not be required to provide reasonable accommodation if it would pose an undue hardship on the company.
Under the ADA, to determine whether the accommodation would cause an undue hardship, a company should consider: (1) the nature and cost of the accommodation; (2) the overall financial resources of the company; (3) the type of operation of the company; and (4) the impact of the accommodation on the operation of the company. A company’s burden to establish undue hardship when determining whether a reasonable accommodation must be provided is high.
Under Title VII, the standard is different and less rigorous than the ADA’s standard. Under Title VII, an undue hardship includes not only economic or financial burdens—which would meet the ADA standard—but also a disruption in the workplace or imposition on other workers—which would not meet the ADA standard.
Evaluate Each Request for Accommodation
Companies should approach employee requests to opt out of any vaccination policy on a case-by-case basis and consider each employee’s request for accommodation in the context of overall workplace safety. Certainly, there can be sharp edges for companies as employees return to work. However, with thoughtful and careful policies and protocols that prioritize employee safety and well-being, companies will find themselves well-positioned to hire and retain the qualified employees needed to successfully operate.
Harassment Based on National Origin, Race or Other Protected Characteristics
Harassment specifically directed at an individual because of a protected characteristic, including race and national origin, is prohibited by Title VII. Companies must actively communicate with their workforce that such harassment is prohibited and will not be tolerated. The EEOC has issued harassment policy tips for small business which are practical and, with some foresight, can readily and successfully be implemented.
Voluntary Vaccination Programs
Companies may also offer voluntary vaccination programs even when vaccines are not job-related or consistent with a business necessity. Should companies elect to proceed on a voluntary basis, they cannot take adverse action against, or harass, those employees who elect not to get vaccinated or refuse to share information about their vaccination status. Companies also must be careful about offering a voluntary vaccination program on a selective basis which may exclude certain employees based on national original or another protected basis.
Equal Access to Vaccines
Companies should consider that certain communities may not have the same access to vaccinations as other communities and help their employees understand their vaccination options. As of May 2021, the federal government is providing vaccines at no cost to anyone over the age of 12. The resources available to provide equal access to vaccinations are abundant. At the federal level, information can be obtained at the following websites: https://www.vaccines.gov/ and https://www.cdc.gov/publichealthgateway/healthdirectories/index.html (with links to state and local directories). For employers, the CDC has created comprehensive guidelines to help businesses create workplace vaccination programs.
Individuals over the age of 65 face higher risk for a severe case of COVID-19 if they contract the virus. The CDC encourages businesses to offer the most flexibility for these individuals in the workplace. Unlike the ADA, the ADEA does not require companies to provide reasonable accommodation. In other words, age alone does not require a business to explore accommodations for that worker. However, companies must be careful to not involuntarily exclude older workers out of benevolent concern for their safety, which would be a violation of the ADEA. Of course, as with any employee, an older employee may have an underlying disability, for which the reasonable accommodation requirements of the ADA would apply.
While the ADA does not consider pregnancy itself to be a disability, pregnancy-related medical conditions are considered a disability. Companies cannot treat employees with pregnancy-related medical conditions differently from other employees who are similar in their ability or inability to work. Such employees must be offered the same or similar job modifications, such as telework, changes to schedules or assignments, and leave. If a pregnant person requests an exemption from a work-related vaccine requirement based on a pregnancy-related medical condition, the company must consider such request on an individualized basis and may be required to reasonable accommodate that request.
The first three COVID-19 vaccines to receive Emergency Use Authorization (EUA) from the FDA (Pfizer-BioNTech, Moderna, and Janssen) include pre-vaccination medical screening questions that do not request information about a patient’s genetic information, including asking about such patient’s family medical history. Thus, any vaccination program properly implemented by a company using one of these three vaccines does not implicate GINA.
Idaho does not have a federally approved occupational safety and health regulatory program. Thus, private sector workplaces are regulated by federal standards. As society reopens, companies must remain vigilant. This month (June 2021), the Occupational Safety and Health Administration (OSHA) updated its emergency temporary standard (COVID ETS) and its Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace for non-healthcare employers and workers (Guidance) in response to increasing vaccinations. As a surprise to some, OSHA limited application of its updated COVID ETS to most health care employers.
For all other industries, OSHA continued to make recommendations (as opposed to requirements) regarding COVID-19-related safety through its Guidance, which provides that:
A common misconception is that an employer’s collection of an employee’s medical information is covered by the Health Insurance Portability and Accountability Act (HIPAA). Employers are generally not “covered entities” under HIPAA and thus not subject to it. However, as with other employee medical information, employers must keep an employee’s medical information pertaining to COVID-19 and vaccinations confidential and stored separately from the employee’s personnel file.
Is a Company Required to Have a Vaccination Policy?
Vaccination requirements, incentives and voluntary programs are not mandatory. Companies do not have to have them. However, they are a good idea. Having such a policy can establish that the business is taking appropriate steps to protect its work force. Many states across the country have passed laws providing some limited immunity to business from COVID liability. Idaho passed just such a law, which was extended one year in the most recent legislative session and is now set to expire July 1, 2022. These laws generally advise that, for such liability protection, business must comply with public health guidance by federal, state, and local authorities. These laws also do not shield business from liability for COVID-related injuries caused by wanton, reckless, willful, or intentional misconduct.
While not all agree vaccinations provide a safe avenue to reopening, as businesses welcome their employees back to the workplace, they should do so in a manner that increases employee safety and satisfaction. Dempsey Foster is here to help if you have questions.
What is intellectual property (IP) and why should you care about protecting it in your business? Defined broadly, IP refers to creations of the mind. IP is your designs, your inventions and innovations, your brand and logo, and in many cases your creative ideas and thoughts put down in written form. IP is the way in which you declare to the world this is your business and you intend to protect it.
As a powerful driver of business growth and innovation, IP can constitute more than 80 percent of a single company’s value today.
How do you harness this growth potential for your business?
First, recognize that IP is property. While you cannot touch it like tangible property such as equipment or land, the law (and the IRS) recognize IP as intangible property. Just like any other property, IP should be identified and catalogued. Accurate identification and cataloguing of your IP are critical to your ability to protect your property rights and ensure you are not infringing on the rights of others.
Second, take steps to ensure you, people who work for you, and those with whom you share your IP engage with protecting your IP as much as you do.
A straightforward but comprehensive IP strategy can accomplish both goals.
Identify and Catalogue your IP
Your business likely started with an original and creative idea or concept. To protect these ideas and concepts, you must define them.
In general, there are four categories of IP: copyright, trademark, trade secrets (or dress), and patents. You must identify both what IP you have created and own and keep detailed notes on the dates such IP was created and, if applicable, modified. This information will provide critical evidence in any enforcement action you may need to take, whether in court or before government agencies such as the United States Patent & Trademark Office and United States Copyright Office.
This form of IP protects authors of original works of authorship such as literary, dramatic, musical, artistic, and certain other intellectual works. If you look at the bottom of the Dempsey Foster website, like most other websites, you will see the symbol: ©. This indicates that the original and creative content on our website is protected under copyright law. The duration of copyright protection is, in general, the life of the author plus 70 years. You can and should register your copyright with the United States Copyright Office.
This form of IP protects a word, name, symbol, or device, or any combination, used or intended to be used, in commerce to identify and distinguish your goods or services. Usually, it is how you are recognized in the marketplace and distinguishes you from your competitors. The tricky part of trademark protection is that not every word, symbol or combination of words or symbols is protectible. For example, a business that sells apples cannot trademark, and thus prevent others from using, the generic phrase “sweet apples” when it sells apples. However, a well-known technology purveyor has trademarked the term “Apple” when used in connection with the sale of its iPhones, iPads, and Macs. Thus, if you decide to likewise use the mark “Apple” to sell your own business’s smart phones, tablets, or computers, you will quickly become subject to an enforcement action. (If you have any doubt, Apple provides clear guidelines for use of its IP.)
The protection afforded by a trademark lasts 10 years with 10-year renewal terms. Once you use a protectible trademark in commerce (that does not infringe other trademarks), you can assert ownership rights over it. Your rights are strengthened by registering your trademark with the United States Patent and Trademark Office (USPTO).
When analyzing whether your mark is protectible, trademark law provides some guidepost definitions ranging from least protected (generic) to most protected (arbitrary or fanciful).
The term “trade secrets” refers to any information that provides economic value that is not in the public domain and that has been reasonably kept secret. Trade secrets can include formulas, programs, devices, methods, techniques, processes, and customer or client lists. Trade secrets can be protected under state or federal law for as long as they remain secret. Businesses must take special care to ensure their trade secrets are kept secret. If they are not kept secret, they cannot be protected.
A patent is a specific grant of property rights by the USPTO. A business or person that invents or discovers something “useful” may obtain a patent. The system is set up as a quid pro quo: if you agree to disclose your useful invention to the government in specific terms, you gain exclusive rights to that invention. If granted a patent, you have powerful enforcement rights. However, at some point, you lose the right to that patent’s exclusivity and the enforcement heft that comes with it. For that reason, certain businesses choose not to patent their inventions but rather keep those inventions secret through other methods.
Take Steps to Protect your IP
Once you have identified and catalogued your IP, the next step should be to implement policies and procedures to ensure your IP is protected. This can be accomplished with the following:
Identify Who Has Access Where
The goal is to limit access to your IP to only those stakeholders and workers who need it to operate and grow your business. Once you have limited access to certain people, you then need to identify the systems and devices on which the IP will be accessed and implement appropriate security measures. What are your core IT systems? Do those systems limit IP access to only authorized users? Will authorized employees use their personal smart phones for work and to access IP? Do employees use cloud applications and file sharing services that may contain IP? If the answer is yes to any of these questions, make sure you are appropriately limiting access through multi-factor authentication, encryption, or other privacy protection methods as part of your data security strategy.
A Written IP Policy: Required Reading
Your business should have a written policy that generally identifies its IP and proclaims it as confidential. For those with whom you work, this can be included as part of your new hire packet, employee handbook, and contractor agreements. This policy should be stated in sufficiently broad but specific terms and be required reading for all who have access to your IP. For example, new hires, current employees, and independent contractors should execute an acknowledgement that they have read and reviewed your IP policy. (In the next post, in addition to employee safety, Dempsey Foster will discuss different strategies to fairly implement non-compete and non-solicitation policies to further protect your business.)
Non-Disclosure Agreements (NDAs) and Virtual Data Rooms (VDRs)
There will likely come a time when the strategic growth of your business requires that you share your IP with third parties. You may decide to sell your business or join with another. NDAs and VDRs are standard fare when businesses are negotiating certain transactions or acquisitions. Like your internal written confidentiality policy, an enforceable NDA must identify generally your IP, proclaim it as confidential, and be executed by any party that will have access to your IP. VDRs-secure online repositories for storing and sharing confidential and sensitive files including IP-should employ controls to restrict user access, document confidential materials (through, for example, watermarking), and create activity and access audit trails.
Intellectual Property Transfer and License Agreements
Finally, your business may elect to monetize its IP by licensing either its trademark, patent, or other IP to another in exchange for royalties or other benefits. An appropriate contract will allow you to transfer IP while still protecting its confidentiality and maintaining your property rights.
* * *
Because IP is likely an integral part of your business, proper attention and care must be paid to capitalize on its ability to carry your business to its next stage.
Businesses grapple with the best way to prevent, address, and respond to harassment in the workplace. The law provides guidance. Policies, training, complaint procedures, and investigation protocols--all suggested or required by law to avoid liability for harassment--are not hard to come by. But while legal compliance is generally an attainable goal, it does not prepare businesses to truly engage in the process most influential on how workers treat each other: the development of workplace culture.
When people think of sexual harassment, they usually think of explicit sexual innuendo, inappropriate and unwanted flirting, procuring sexual favors for workplace benefits, and unwanted physical touching of gender-specific body parts. Under the law, an illegal hostile workplace environment exists only when the sexual harassment is “severe and pervasive.”
From a social and psychological perspective, harassment is more complicated. Sexual harassment is not simply a reflection of desire or insufficient social skills. Harassment based on sex—or race, religion, or other aspects of identity—is an exertion of power and exclusion. It makes the target feel uncomfortable, ashamed, confused, scared, or hurt. It works to denigrate, exclude, and push down people based on their identity.
Harassment occurs in many ways. Harassment can:
All of these forms of harassment alienate and harm people—both the target of the harassment and the people around them—and the environment in which they exist.
Impact on people:
Impact on business:
The law does not make all harassment illegal. In 1998, for example, the Supreme Court held that "simple teasing, offhand comments, and isolated incidents (unless extremely serious)" do not create a hostile work environment based on sexual harassment in violation of Title VII of the Civil Rights Act of 1964. And it has long held that Title VII is "not a civility code." That is still the law.
But as our society begins to more comprehensively understand the impetus behind harassment--again, not just sexual harassment but racial as well--it becomes more complicated to label something "simple teasing." And we know that "low grade harassment" such as "simple teasing" still alienates and harms the harassee and environment. .
This is particularly true at the workplace. Employed persons often spend the majority of their waking hours at work interacting with others. Workplace culture and relationships are foundational to working persons' lives and experiences. No employer or business wants its employees to feel they do not belong or are not valued. Not only is it bad for the elusive bottom line, it is just bad for people.
The law of sexual harassment and discrimination is only one rough tool to address workplace harassment. In Harassment, Workplace Culture, and the Power and Limits of Law, 70 Am. Univ. L.R. 419 (2020), Professor Suzanne B. Goldberg presents a compelling and easily read analysis of how the law can help and how it cannot. For example, harassment that does not create legal liability still negatively affects targeted employees and the broader workplace. As she explains:
"The problem is that an approach delinking legal accountability from workplace culture misses the ways in which choices about compliance can create additional barriers to effective harassment prevention and response... Harassment policy, communications, and trainings are elements of culture-creation, not just protection against liability. When they are generated and implemented through a compliance lens, employers may satisfy their general counsel but will be unlikely to improve the experience of employees, except perhaps at the margins."
When making choices about how to address and respond to harassment, businesses often make choices based on legal accountability rather than cultural development. Empirically, cultural development ultimately bears the strongest influence on employee behavior.
For example, organizational culture can create an atmosphere in which harassment is not understood or proscribed. As a result, sexual harassment historically and currently often goes underreported. Targets of harassment may refrain because of shame, embarrassment, or self-blame; for fear of retaliation or further marginalization, or based on their belief the organization will not be able to help them. This is is particularly true for more vulnerable persons at work: low-level supervisees, individuals depending on their employment for immigration status, or workers dependent on their job for basic subsistence.
Likewise, organizational cultural expectations teach employees how to treat each other. These expectations are created not just at the top by business leaders but throughout the organization at all levels. How the organization responds to bad behavior or complaints also creates a cultural understanding and expectation.
What this all means: creating a legally compliant harassment policy, complaint procedure, investigation protocol, and outcome expectations will satisfy the law. It also contributes to the overall organizational culture that more directly influences employee behavior. As Professor Goldberg advises:
"By seeing harassment prevention and response as an opportunity for culture creation in addition to being a compliance obligation, it also becomes clear that harassing behavior may negatively affect the targeted employee and the broader workplace even when there is no risk of liability. This includes 'low-grade harassment,' a category I use to describe behaviors that are intentionally harassing but not severe or pervasive enough to meet doctrinal thresholds. Also relevant are microaggressions and interactions that reflect implicit bias, as these are unlikely to expose a firm to liability because they lack the discriminatory intent required by legal doctrine but nonetheless can create significant challenges for employees and organizations. This is not to suggest that employers should respond in an identical way to all of these occurrences. Rather, the point is that inattention to experiences that go beyond legal-accountability requirements is likely to spill over into the broader workplace culture and diminish the effectiveness of other harassment prevention and response efforts."
Creating and managing records is an important part of business. Keeping records helps companies meet important directives: accountability, efficiency, protection of rights, legal compliance, and the ability to reconstruct the past. As business moves more rapidly to the cloud, the amount of information to track, maintain, and destroy has increased exponentially. When a business is involved in litigation, record-keeping becomes even more important. Consumers, employees, and suppliers conduct business in an almost entirely online fashion. The shift to data-driven business and a greater emphasis on corporate responsibility creates even greater imperatives and nuances to the world of information management. Having a practical and strategic preservation protocol is critical for both day-to-day operations and litigation success.
Day to Day Preservation Strategies
In creating an operational information preservation strategy, we suggest that businesses inventory (1) the categories of information they need to retain; (2) where that information is located; and (3) who controls that information.
What information you have
Operational and legal principles dictate different levels of preservation for different types of information. Types of information may include:
Where the information is
Remote working creates multiple access and storage points for a company’s electronically-stored information (ESI). A healthy preservation strategy accounts for all of these points: workstations, cloud storage, handheld devices, external storage systems, laptops, tablets, network servers, voicemail systems, leased storage space, and backup tapes. Even a simple protocol for maintaining email can have significant operational and legal benefits.
Who controls the information
A robust preservation strategy considers who and which departments create, receive, and maintain what types of information. Mapping your company’s information structure and communication protocols can help you develop a tailored, practical protocol.
Preserving information becomes even more critical when your company is involved in litigation.
Duty to preserve
A legal duty to preserve “relevant” information arises whenever litigation becomes “reasonably foreseeable.” In such cases, preservation becomes a specific response to a specific dispute or challenge. A company facing reasonably foreseeable litigation must immediately identify the types of information that may be implicated, the persons and departments who may retain or have access to such information, the best method to segregate and preserve existing information, and a strategy for segregating and preserving new information that may be created or obtained. This may include preservation of backup tapes, metadata, and even ongoing day-to-day routine communications. A written and specific litigation hold should promptly be issued to all potential holders of such information.
In federal court, and increasingly in state court, one of the first things a party must do in litigation is communicate with its adversary about its information structure. Parties must, or should, identify key persons with access to relevant information; how that information is stored; what types of information should be provided to the other side; and the best mechanism for providing information, which may involve a third-party vendor.
Often the biggest risk companies face in litigation comes from failing to collect the right information for the lawsuit. Understandably, businesses do not want to turnover their internal documents and ESI to a known adversary and, potentially, to the public. But a reticent approach to document discovery ultimately will cost a company money and time.
Consequences for noncompliance
Failing to preserve ESI or produce relevant information during a lawsuit can lead to disastrous outcomes, including an adverse factual inference, sanctions, or, in extreme cases, a judgment entered against the company.
In sum, developing a strategic and careful day-to-day information preservation strategy and following best practices for litigation can meaningfully reduce risk and expense and allow companies to focus on doing business.
Photo by Element5 Digital
All organizations, regardless of size or industry, have digital data to protect. This includes customer data, employee data, financial data, medical data, confidential business information, and intellectual property.
In the last year, the pandemic has forced many businesses to increase their electronic engagement with employees, customers, and suppliers, which has created a broader range of digital data susceptible to cyberthreats. Responding to a customer data breach can cost hundreds of thousands, if not millions, of dollars to address. The loss in brand confidence and reputation is incalculable.
What can businesses do? Develop a cybersecurity strategy to prevent breaches before they occur and contain them if they do.
What is data security?
Data security is the protection of digital information from unauthorized access, corruption or theft. A data security practice encompasses every aspect of securing information: physical security of storage devices, digital access controls, and organizational policies and procedures. Robust protocols secure information from outside threats, such as hacking, virus threats, fakesourcing, and phishing, as well as inside misuse and corruption. A strong data security policy employs protocols that are both technical (encryption, tokenization, data masking, redaction) and procedural (controlling access and retention of sensitive data).
Data security also implicates business obligations to protect customers’ private or confidential information as well as the business’s own proprietary information. For example, companies must handle in specific ways any identifying information about customers or website visitors it may obtain. Many laws and regulations create legal notice, use, and opt-out requirements for businesses in both regulated and non-regulated industries, often regardless of company size or revenue.
The pandemic has increased cybersecurity challenges. The Idaho Attorney General’s office reports that, since the beginning of the pandemic, phishing email scams are up 667%, 90% of the tens of thousands of new Coronavirus-related web domains are scams, and ransomware attacks have increased 72%.
What is the law?
Unfortunately, there is no single national law that creates a cybersecurity checklist. There are federal statutes, some general and some industry-specific; state laws that address privacy, data security, and data breach responses; and even international laws that affect many U.S. companies. For example:
To develop a data security protocol, companies should begin by evaluating several factors:
Other measures to consider include designating a security officer, conducting a risk assessment, implementing security protocols, continually monitoring your data security program, and creating privacy notices.
There are multiple sources online to assist your company in developing a cybersecurity strategy. For example, the National Institute of Standards and Technology created a Preliminary Cybersecurity Framework to help guide businesses develop a cybersecurity strategy. The State of Idaho maintains a website focused on helping Idahoans understand cybersecurity.
Cybersecurity strategies help businesses meet primary pandemic business concerns: maintaining revenue, strengthening customer relationships, preserving employee structures, and staying afloat. A strategic investment in cybersecurity is manageable and worth it.
Crisis can strike anytime, anywhere. Global pandemics, civil unrest, hurricanes, floods, devastating accidents, power outages, cyber-attacks—the list is endless. In times of crisis, your business’s leadership team has the responsibility to make critical decisions about the business’s future under extreme stress and often without all the facts. Having a formal crisis plan will equip your leadership team with the tools needed to survive a crisis and weather the storm.
Below, we identify the basic elements required to develop and implement a crisis plan and provide some simple tips for smaller- to medium-sized businesses to get this process started.
Strong Leadership In times of crisis, there is a direct correlation between strong leadership and survival. No matter the size of your business, your leaders must act with integrity, consistent with your business’s values and mission—even when it is most difficult to do so.
Assemble a Crisis Management Team (CMT) When faced with a crisis, the Crisis Management Team is the team that “battens down the hatches” by assisting leadership in implementing and executing a crisis management plan. If your business has several departments or divisions, your team should include employees from across those departments or divisions. If you are a sole proprietor or small business with few employees, then you may be the only member of your Crisis Management Team. That is fine. In times of crisis, you will wear not only your leadership hat but also your crisis management hat.
Develop a Crisis Management Plan (CMP) A good Crisis Management Plan identifies the potential disasters your business might face and the strategies to deal with them. In creating a plan, your Crisis Management Team should consult with all aspects of business operations to ensure the list is complete and to incorporate all available response strategies.
Here are some benchmarks for a thorough and responsive Crisis Management Plan:
Certain organizations, such as the British Standards Institute (BSI) or the International Organization for Standardization (ISO) provide crisis management and emergency standards from which any business can develop and create a CMP that fits the particularities of its industry and circumstances.
Train Your Employees Do not simply give your written Crisis Management Plan to your employees. Train them on it. Additionally, empower them to identify potential crises early and safely report those concerns to leadership or the Crisis Management Team.
Communicate Timely and Consistently Develop a communications plan that will produce thorough, simple, and consistent messaging about crises directly from your company’s leadership. Make sure communications are accurate and honest—even if potentially damaging to your company’s profitability.
Update the Crisis Management Plan Times change. New crises develop. A Crisis Management Plan is a living document and must be updated. Review it annually to ensure it remains relevant and addresses the potential crises that may have developed over time.
To ensure your business can operate smoothly during the next crisis, take the time to create a Crisis Management Team and develop a Crisis Management Plan. It will be well worth the time spent.
We have made it to 2021. Vaccinations bring hope and a light at the end of this global-pandemic tunnel. But the crisis is not over yet, and with it come opportunities for long-term planning and evolutionary growth.
As a result of the pandemic, companies are adapting to serve their customers in new and different ways. Flexible work arrangements and virtual platforms are becoming the norm and increasing both productivity and work-life balance. Customers are looking for places that prioritize safety and efficiency as well as personal relationships and commitment to community-oriented values. Amid all of this, businesses heading into 2021 report that their primary concern remains keeping money coming in the door.
How can lawyers help? By highlighting the steps businesses can take to reduce risk, prevent loss or further expense, avoid litigation, and stay on mission. Having spent decades helping companies navigate expensive lawsuits, we know exactly how costly and risky the courtroom can be. Now is the time for battening down the hatches: preparing for trouble, securing weak spots, and tightening the ship to survive not only the waning days of a global pandemic but also the fundamentally different ecosystem that will follow.
In the coming weeks, we will explore some of those steps here.
Crisis plan. Crisis can strike anytime, anywhere. Global pandemics, civil unrest, hurricanes, floods, devastating accidents, power outages, cyber-attacks—the list is endless. In times of crisis, your company’s leadership team has the responsibility to make critical decisions about the company’s future under extreme stress and often, without all the facts. Having a formal, written, and tested crisis plan will equip your company with the tools needed to survive a crisis.
Data security. The seismic shift to work-at-home and remote services means companies are aggressively expanding their technological platform. Client-centric business models often require collection of data, particularly customer data, as paramount to providing attractive customer services. But this also brings inherent and increased risk of privacy compromise from data breach or mishandling. Businesses of all sizes need to have meaningful, practical approaches to protecting data from intrusion, theft, and mishandling—and, of course, from litigation.
Information preservation. The flip side to data security is the preservation of information critical to business function. Traditional wisdom recommends keeping everything. Many laws require preservation of information for certain statutorily mandated periods of time. And anyone who has been in a lawsuit knows the fundamental importance of preserving information for and in response to litigation. But keeping everything is becoming impractical, inefficient, expensive, and often unnecessary. Developing practical and useful information preservation strategies is critical to managing risk.
Protection of intellectual property (IP). Businesses can take simple first steps to protect their IP—their names, logos, copyrights, patents, and trademarks. Risks to IP often come from unexpected corners: employees and contractors who help create systems or processes the employer owns; vendors with access; licensees; publishing companies. A structure and strategy for best practices can help a business protect some of its most important work.
Employee safety and relationships. The landscape for protecting employees and maintaining healthy employee relationships has broadened. Remote work, COVID-19 exposure, civil unrest, compensation requirements, and the expansion of employee engagement create an opportunity for businesses to revisit their employment policies and strategies.
Behavior and culture as risk management. We see it all the time: relationships and behavior lead to disputes that lead to litigation. Toxic workplace cultures bleed into the customer experience. Bad behavior, or non-productive behavior, inhibits companies from adapting to changing circumstances or developing into their potential. Customers and investors are demanding a greater focus on diversity, equality, and inclusiveness in business composition and services. Businesses can and should develop internal standards for behavior and culture. Such standards will create a healthy work environment that is conducive to success and allow businesses to better engage with their communities.
By addressing each of these topics, we hope to assist businesses in battening down their hatches so that they may continue to prepare for and weather any impending storm.
Each year, the Idaho Chapter of the Federal Bar Association partners with Boise Firefighters Ladder #149 and sponsors the Toy Brigade: a collection of donated toys, clothing and cash as holiday gifts for children in need, ill, or homeless.
The need this year was urgent. The Boise Rescue Mission identified children in Boise, Idaho for whom there would be no holiday celebration or presents without the help of the Toy Brigade. Their families struggle to put food on the table, heat their homes, or keep fuel in their cars, where many are living this year. The Rescue Mission provided a list of each child’s clothing size and “wish list” for Santa.
Idaho FBA, headed by its President Alyson Foster and Executive Director Susie Headlee, quickly gathered support from all corners of Idaho's legal community to provide a range of gifts and donations to 56 children and their families. Dempsey Foster was very happy to do some Christmas shopping for kids in need.
Happy holidays to all.
We at Dempsey Foster are heartbroken and outraged by recent events in Boise. Armed protesters targeted the private family homes of elected officials. The Idaho Anne Frank Human Rights Memorial was vandalized with Nazi symbols.
We denounce these hateful actions. We pledge to speak out against intimidation and hate and act in our personal and professional lives to build, not destroy, our community.