Category Archives: Legal

New York City’s New Biometric Information Law Governs Collection and Use of Consumer Health Data

Posted on by

For risk professionals, the COVID-19 pandemic has increased the importance of ensuring customer and employee safety measures are incorporated into operations, processes and future strategies. As many businesses reopen from pandemic shutdowns or return from remote work arrangements, some enterprises are now exploring both the effectiveness and the risks associated with conducting health screenings that collect biometric information and other personal health data.

This month, New York City released the Biometric Information Law, a new measure that goes into effect on July 9 and imposes disclosure requirements on businesses that collect consumer biometric information.

online pharmacy ciprodex with best prices today in the USA

It also sets parameters on what they can do with that information, most importantly, prohibiting the exchange of biometric information for anything of value.

As detailed in recent client notice from the law firm Reed Smith, highlights from the law include:

  • The measure requires a business that “collects, retains, converts, stores or shares biometric identifier information of customers” to place a “clear and conspicuous sign” near all consumer entrances that, in plain language, discloses the collection, retention or sharing of biometric information.
  • It stipulates that it is unlawful to “sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”
  • It establishes “an ‘aggrieved’ consumer’s private right of action,” meaning that “[a]ny person who is aggrieved by a violation by this chapter is entitled to commence an action to enforce its protections.”

There are key exclusions, however, as “governmental agencies, employers, or agents” are expressly excluded from compliance with any provision.

New York is not the only state to enact a law attempting to govern how organizations can use biometric information. Arkansas, California, Illinois, Texas and Washington have also set guidelines for businesses.

online pharmacy tenormin with best prices today in the USA

Indeed, the recent Risk Management Magazine article “Preparing for Biometric Litigation from COVID-19” addresses the imminent and critical questions businesses must answer when collecting and handling such data.

Sensitivities surrounding the confidentiality of biometric and other health information are not new in certain industries, such as healthcare. Further, even before COVID-19, risk professionals were already grappling with the risks associated with new biometric technologies and the data collected, especially with regard to facial recognition, wearables and even the rise in popularity of telehealth.

Now, with every organization on high alert about infectious diseases and how quickly they can interrupt business, health and safety have become top priorities for every risk professional in every sector.

online pharmacy xtandi with best prices today in the USA

As risk professionals look to new technology for help with these concerns, monitoring the emerging regulation and security risks around health and biometric technology will become increasingly critical in balancing benefit and risk to their organizations.
Online Pharmacy https://galenapharm.com/ no prescription
Data security will continue to remain a significant threat, but New York’s Biometric Information Law should serve as a reminder that what the organization does with that data can also have a lasting impact on the enterprise’s reputation and consumer trust.

For more information to help risk professionals manage new health technology and data, check out these articles from Risk Management Magazine:

COVID-19 Vaccines: Should You Mandate, Motivate or Educate Employees?

Posted on by

For the past year, employers have grappled with unprecedented workplace safety and human resources challenges, forced to address safety measures that were unfamiliar for many industries. Employees have become accustomed to daily health screening and masks, and human resources has added COVID safety training and enforcement to its job duties. As vaccines are becoming more prevalent, employers have to now decide whether they should vaccinate their workforces. Making this decision can seem daunting and the applicable employment laws can seem overwhelming. However, there are some baseline considerations that may help.

As a threshold matter, employers are obligated under the OSHA General Duty Clause to provide a safe working environment to their employees. At the direction of President Joe Biden, OSHA released new comprehensive guidance regarding COVID workplace safety, including a 16-point list of essential components of a workplace safety program. OSHA recommended that employers make the vaccine available to eligible employees at no cost, and made clear that employers must continue to enforce COVID safety protocols regardless of an employee’s vaccination status “because at this time, there is not evidence that COVID-19 vaccines prevent transmission of the virus from person-to-person.”

Employers now must determine whether they will mandate, motivate, or educate employees to receive the vaccine. They will first have to determine whether the vaccine will provide a safer working environment. While it seems clear that the vaccine will minimize or eliminate the vaccinated individual’s COVID symptoms, it remains unclear whether a vaccinated worker may spread the virus to others. Therefore, a vaccinated workforce may still be a contagious one.   

Businesses that serve in-person customers may benefit from mandating the vaccine. A local restaurant or retailer may be able to advertise that its staff is vaccinated encouraging patrons to return. While a mandatory vaccine program may be complex, the benefit of returning customers may outweigh the pain of a program. Conversely, in an organization where most employees have remained remote and business has continued at normal levels, the complexity of a mandatory program may not be worth it. In the latter scenario, it may be better to implement a voluntary program, which is easier to administer and has less compliance complexity. Employers will have to weigh the return on investment for each approach.

Employers will also have to determine their appetite for risk. Many initially lean toward a mandatory vaccine approach in an effort to protect employees from becoming seriously ill. However, even mandatory programs pose liability risks for employers. Essentially, there are two schools of thought regarding mandatory vaccine programs:

  1. A vaccinated workforce is essential to safety. A vaccinated workforce will reduce community spread and bring the workforce closer to herd immunity. The fewer employees that become symptomatic or sick, the sooner we may reduce COVID-19’s spread. Likewise, it would be negligent, or a violation of the employer’s General Duty obligations, to not mandate eligible employees to receive the vaccine.
  2. The vaccine is too new to mandate. On the other hand, some believe that it would be negligent, or a violation of an employer’s General Duty to require employees to receive the vaccine, noting that the vaccine is merely under emergency authorization. Consequently, mandating that eligible employees receive the vaccine would create employer liability for any possible harm the vaccine could cause to employees.  

It is also important to note that mandatory programs will likely trigger workers compensation coverage for any medical services and/or lost time associated with employee reactions to the vaccine. Workers compensation coverage is not always a bad thing. Employers should remember that the workers compensation exclusive remedy provision protects employers from negligence and tort claims (but not gross negligence). 

Employers should also consider the practical and operational complexities associated with a vaccination program. Employers who implement a mandatory program must be prepared to enforce the rules. They may be faced with difficult decisions regarding candidates and eligible employees who refuse to receive the vaccine (without any legal protections). Can the employer continue to recruit and retain talent under a mandatory program?

Regardless of where an employer lands on the vaccine program spectrum, they must take their employee complaints and concerns seriously. Likewise, employers must not take adverse action against a complaining employee. Employee OSHA whistleblower cases have reached unprecedented numbers. As of February 5, there have been 4,738 COVID OSHA whistleblower complaints filed in the previous 12-months. Before 2020 (and COVID-19), the largest number of complaints received by OSHA in a 12-month period was 3,355 in 2016.

The good news, if there is any, is that employers that provide safe working environments, are open to employee concerns, and communicate with workers are already taking positive and proactive steps to avoiding liability and litigation. The following best practices may be helpful: 

  • Review your COVID safety program to ensure it comports with OSHA’s 16-point COVID prevention program guidance, and continue to review and update as guidance and regulations change.
  • Provide managers and employees regular safety training, and provide managers with training to enforce safety programs, hold employees accountable, and document all safety incidents and violations.
  • Stay up to date with regulations. OSHA has updated emergency temporary standards, and local and state laws continue to change rapidly.
  • Update anti-retaliation policies to include COVID safety protocols. Also consider a whistleblower hotline and ensure that managers are trained and understand how to take seriously and address employee concerns and complaints.
  • Be sure your workforce has the most current information regarding COVID-19, its symptoms and transmission, and the vaccine. Also be sure to provide all communication in multiple languages for a multilingual workforce.

Ultimately, COVID workplace safety is at the core of any employer’s operations. Whether an employer mandates, motivates or educates its employees to receive the vaccine, they must continue to evolve and enforce their COVID safety protocols.

Texas Cold Crisis: Insurance Options for Severe Weather Disruption

Posted on by

On February 15, a massive and unseasonal storm with frigid temperatures spiked the demand for power and outpaced the supply, severing power to 26 million Texans. Unpredictable weather patterns present risks for business owners, but also create an opportunity to improve their risk mitigation strategies to address future uncertainties. 

Power outages are not caused by storms alone. Heat waves, hurricanes and wildfires can also create power outages—and outages are more common than business leaders may think. S&C’s 2018 Commercial and Industrial Power Reliability Report found that one in four businesses experience at least one power outage per month. The Department of Energy estimates that these outages cost companies $150 million per year. Although companies may face spoilage-related losses, data centers often experience the most severe consequences. When a data center goes down, it can impact a business’s most vital proprietary assets. According to a Ponemon Institute study, the cost of an unplanned data center outage is $5,600 per minute with an average recovery time of 119 minutes resulting in a loss over $690,000.

The cost for businesses goes beyond damage. Litigation tends to run rampant, and with the recent Texas power outages, businesses are already facing lawsuits. The family of an 11-year-old boy who died of hypothermia is suing energy company Entergy and grid operator Electric Reliability Company of Texas. Multiple wrongful death lawsuits are predicted from incidents including carbon monoxide poisonings, house fires and shelter closings.

A range of insurance options can help businesses protect themselves from complex, evolving and completely unpredictable risks such as natural disasters and climate change.

Property insurance protects the building and physical assets like equipment, supplies, inventory, fixtures and computers. However, property insurance may not provide all the coverage needed. Exclusions like floods, sink holes, earthquakes, terror incidents, and chemical, nuclear, biological and environmental events are likely not covered. An unexpected policy exclusion can be devastating and result in a claim being denied, leaving business owners and leaders feeling helpless and infuriated.

Business interruption insurance is helpful but may not be enough. Typically, when damage obstructs business operations, it is covered by property insurance, and business interruption insurance covers losses from interruption. However, a natural disaster can create a perfect storm, so to speak. For example, if an establishment is forced to close due to lack of power, there can be a denial of claims. Business owners may be able to have property repaired, but cannot recoup the lost revenue through insurance.

Another option for businesses is to choose captive insurance and own their own insurance company. This establishes a more robust approach to risk management, and enables the business or business owner to own a profitable second business. This can help lower commercial insurance costs, build up assets and loss reserves, enhance critically needed cash flow and liquidity, and help prevent losses from hollowing out the total business entity. Importantly, successful captive insurance companies are filled with liquid assets that back the reserves for potential future losses, owned by the business or business owner. Liquid assets are often more desirable than durable assets that depreciate and may be difficult to sell. Finally, a captive insurance company is a regulated entity.

A captive primarily insures its parent company or related companies, so the parent company can purchase insurance from its wholly owned captive. Such purchases may replace all, or a portion, of its commercial insurance. Additionally, risks that are unable to be insured, are cost prohibitive, or are underinsured in the commercial insurance market can be placed in the captive insurance company. The captive can also insure gaps in third-party commercial insurance policies.

Benefits of Captives in Natural Disasters

While businesses with claims for property insurance or business interruption coverage are denied, a business with a captive insurance company would not face exclusions that leave them vulnerable. Since a captive insurance policy can be written to be broad and robust, it has more triggers than third-party commercial insurance, sos an event may covered where business interruption might not provide coverage.

Captive insurance also serves as a valuable financial strategy. When captives build up loss reserves, backed by corresponding assets, those assets are available for dealing with a catastrophic event. When a business has to restart or relocate their operations, assets are readily available to help it navigate the challenges and pursue big changes. The business owner can use the asset buildup in successfully managed captive insurance companies to help grow the business by funding acquisitions, growth strategies and enhanced risk mitigation strategies via a dividend from the captive insurance company to the business owner.

Before another crisis strikes, businesses should review insurance policies, determine whether current policies offer adequate coverage, and determine if a captive will help them face the next worst-case scenario.

On Data Privacy Day, Catch Up on These Critical Risk Management and Data Security Issues

Posted on by

Happy Data Privacy Day! Whether it is cyberrisk, regulatory risk or reputation risk, data privacy is increasingly intertwined with some of the most critical challenges risk professionals face every day, and ensuring security and compliance of data assets is a make or break for businesses.

buy prevacid online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

In Cisco’s new 2021 Data Privacy Benchmark Report, 74% of the 4,400 security professionals surveyed saw a direct correlation between privacy investments and the ability to mitigate security losses. The current climate is also casting more of a spotlight on privacy work, with 60% of organizations reporting they were not prepared for the privacy and security requirements to manage risks with the shift to remote work and 93% turning to privacy teams to help navigate these pandemic-related challenges. Amid COVID-19 response, headline-making data breaches and worldwide regulatory activity, data privacy is also a critical competency area for risk professionals in executive leadership and board roles, with 90% of organizations now asking for reporting on privacy metrics to their C-suites and boards.

“Privacy has come of age—recognized as a fundamental human right and rising to a mission-critical priority for executive management,” according to Harvey Jang, vice president and chief privacy officer at Cisco. “And with the accelerated move to work from anywhere, privacy has taken on greater importance in driving digitization, corporate resiliency, agility, and innovation.”

In honor of Data Privacy Day, check out some of Risk Management’s recent coverage of data privacy and data security:

CPRA and the Evolution of Data Compliance Risks

Also known as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance consumer privacy protections by clarifying and building on the expectations and obligations of the California Consumer Privacy Act (CCPA).

Frameworks for Data Privacy Compliance

As new privacy regulations are introduced, organizations that conduct business and have employees in different states and countries are subject to an increasing number of privacy laws, making the task of maintaining compliance more complex. While these laws require organizations to administer reasonable security implementations, they do not outline what specific actions should be taken. Proven security frameworks like Center for Internet Security (CIS) Top 20, HITRUST CSF, and the National Institute of Standards and Technology (NIST) Framework can provide guidance.

Protecting Privacy by Minimizing Data

New obligations under data privacy regulation in the United States and Europe require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach.

buy ocuflox online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.”

3 Tips for Protecting Remote Employees’ Data

As COVID-19 continues to force many employees to work from home, companies must take precautions to protect sensitive data from new cyberattack vulnerabilities. That means establishing organization-wide data-security policies that take remote workers into account and inform them of the risks and how to avoid them. These three tips can help keep your organization’s data safe during the work-from-home era.

What to Do After the EU-US Privacy Shield Ruling

It was previously thought that the EU-US Privacy Shield aligned with the EU’s General Data Protection Regulation (GDPR), but following the CJEU’s recent ruling, the Privacy Shield no longer provides a mechanism for legitimizing cross-border data flows to the United States. This has far-reaching consequences for all organizations that currently rely on it. In light of the new ruling, risk professionals must help their organizations to reevaluate data strategies and manage heightened regulatory risk going forward.

The Risks of School Surveillance Technology

Schools confront many challenges related to students’ safety, from illnesses, bullying and self-harm to mass shootings. To address these concerns, they are increasingly turning to a variety of technological options to track students and their activities. But while these tools may offer innovative ways to protect students, their inherent risks may outweigh the potential benefits. Tools like social media monitoring and facial recognition are creating new liabilities for schools.

2020 Cyberrisk Landscape

As regulations like CCPA and GDPR establish individuals’ rights to transparency and choice in the collection and use of their personal data, one can expect to see more people exercise these rights.

buy doxycycline online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/doxycycline.html no prescription pharmacy

In turn, businesses need to ensure they have formal and efficient processes in place to comply with such requests in the clear terms and prompt manner these regulations require, or risk fines and reputation fallout. These processes will also need to provide sufficient documentation to attest to compliance, so if businesses have not yet already, they should be building auditable and iterative procedures for “data revocation.”

Data Privacy Governance in the Age of GDPR

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations. With new data protection regulations, Canadian and U.S. companies must reassess how they process and safeguard personal information.

Key Features of India’s New Data Protection Law

Among the new data protection laws on the horizon is India’s Personal Data Protection Bill. While the legislation has not yet been approved and is likely to undergo changes before it is enacted, its fundamental structure and broad compliance obligations are expected to remain the same. Companies both inside and outside India should familiarize themselves with its requirements and begin preparing for how it will impact their data processing activities.