DOL Confirms Cybersecurity Guidance Applies to All Employee Benefit Plans

The U.S. Department of Labor (DOL) published Compliance Assistance Release No. 2024-01 on September 6, 2024. The release, titled “Cybersecurity Guidance Update,” clarifies that the cybersecurity guidance the DOL issued in April 2021 applies to all employee benefit plans, including health and welfare plans. The DOL states that since the guidance was published, service providers have told plan fiduciaries and Employee Benefits Security Administration (EBSA) investigators that the guidance applies only to retirement plans.

(more…)

President Biden Signs Sweeping Artificial Intelligence Executive Order

On October 30, 2023, President Joe Biden issued an executive order (EO or the Order) on Safe, Secure, and Trustworthy Artificial Intelligence (AI) to advance a coordinated, federal governmentwide approach toward the safe and responsible development of AI. It sets forth a wide range of federal regulatory principles and priorities, directs myriad federal agencies to promulgate standards and technical guidelines, and invokes statutory authority — the Defense Production Act — that has historically been the primary source of presidential authorities to commandeer or regulate private industry to support the national defense. The Order reflects the Biden administration’s desire to make AI more secure and to cement U.S. leadership in global AI policy ahead of other attempts to regulate AI — most notably in the European Union and United Kingdom and to respond to growing competition in AI development from China.

(more…)

ICO Publishes Guidance on Handling Worker Health Data

On 31 August 2023, the UK Information Commissioner’s Office (ICO) published guidance on the handling of worker health data for employers (ICO Guidance). The ICO Guidance aims to provide tips and good practice advice about how to comply with applicable data protection legislation such as the UK GDPR when collecting and processing worker health data. Helpfully, the ICO Guidance also contains various checklists to help employers assess data protection considerations when processing worker health data.

(more…)

Compliance Updates for Employer’s use of Automated Decisionmaking Tools: New York City Finalizes Rules on Automated Employment Decision Tools and Sets Enforcement Date for July 5, 2023, Upcoming California Regulations, and Federal Guidance

Employers in New York City may soon be subject to a new law, Local Law 144, that regulates employers’ use of automated employment decision tools (“AED tools” or “AEDT”) – software and other programs used to make decisions about who to hire, who to promote and other employment decisions.  Local Law 144, the first of its kind law regulating these AED tools, was originally supposed to go into effect on January 1, 2023; however, because needed regulatory guidance had not been issued, the effective date was repeatedly pushed back and is now set for July 5, 2023.  Final rules were released on April 6, 2023, so further delays are unlikely.  We summarize below the key provisions of Local Law 144 and what employers need to know to prepare.

(more…)

Equal Employment Opportunity Commission Looks at AI

2023 is rapidly becoming the year of AI policy and regulation.  A particular focus of regulatory concern relates to AI impacts on employees, and the U.S. Equal Employment Opportunity Commission (EEOC) is not sitting on the sidelines.  On January 31, 2023, the EEOC held a public hearing to examine the use of automated systems, including artificial intelligence (AI), in employment decisions.  This hearing, titled “Navigating Employment Discrimination in AI and Automated Systems: A New Civil Rights Frontier,” continues the work of the Artificial Intelligence and Algorithmic Fairness Initiative, which was launched in 2021 by the EEOC.  Through this initiative, the EEOC has already published a guidance titled “The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees.” Below are a few high-level takeaways from the hearing:

(more…)

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

(more…)

Big California Privacy News: Legislative and Enforcement Updates

Privacy never sleeps in California.  In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country.  For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources.  The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law.  (more…)

SEC Encourages Self-Reporting of Recordkeeping Violations Resulting From Employees’ Use of Personal Devices for Business Communications

On December 17, 2021, the U.S. Securities and Exchange Commission (SEC) announced settled charges against a broker-dealer firm for recordkeeping violations arising from its employees’ use of personal devices for business communications. The firm agreed to pay a $125 million penalty and to retain a compliance consultant to conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications found on personal devices. In announcing this enforcement action, the SEC encouraged registrants to self-report similar failures to the SEC. (more…)