Tom Starner

Tom Starner is a freelance business writer and editor. He can be reached at riskletters@lrp.com.

Regulatory Risk

Union-Related Regulations Increase

Three recent NLRB decisions make it more difficult for employers. GOP control of Congress probably won't make a difference.
By: | January 12, 2015 • 5 min read
NLRB

The National Labor Relations Board surprised virtually no one when it issued a trio of pro-employee decisions as 2014 drew to a close, according to employment-law experts.

But it’s anyone’s guess what will happen after a coalition representing an array of industry sectors and businesses filed suit in the U.S. District Court for the District of Columbia to stop the NLRB from moving forward with its “ambush-elections” rule, which it issued on Dec. 12.

Advertisement




In each of the board’s decisions — regarding employee use of company email for union organizing; the NLRB’s so-called “quickie-election” rule; and changing its standard for deferral to arbitration awards — the board basically told affected employers they will have to adjust to the enhanced union organizing efforts within their workforces.

“It’s not unprecedented to see a rush of substantive NLRB decisions at the end of the year, especially with a board member leaving,” said Steve Bernstein, a partner in the Tampa, Fla., office of Fisher & Phillips, referring to outgoing member Nancy Schiffer, whose term ended Dec. 31.

“They had a full quorum [five voting members] and an upcoming changeover in Congress, so given the Board’s makeup [three Democrats, two Republicans] and based on earlier actions no one is surprised with the flurry of decisions favoring employees.”

“There has always been tension between employer-property rights and union-access rights, and this is more of the same.” — Steve Bernstein, partner, Fisher & Phillips

Bernstein, in fact, characterized the email decision as “seven years in the making,” with labor unions working to get a Bush administration NLRB rule overturned since the day President Barack Obama took office.

“This decision is the culmination of those efforts,” Bernstein said.

What’s most important, he said, is where the email decision fits into the context of other NLRB decisions, and to what extent it’s part of the broader trend of eroding employer property rights.

“There has always been tension between employer-property rights and union-access rights, and this is more of the same.”

Employers Losing Control

Patrick Muldowney, a partner at Baker Hostetler in Orlando, Fla., said the main takeaway on the email decision is that employers are losing even more control over what occurs in their workplaces, including the ability to enforce their email policies.

“Apart from the idea that this is the employer’s [email] network, its asset, it also gets into the idea of what is work time and potentially opens up significant access to unions and union sympathizers,” Muldowney said.

“There are employers that do have very strict ‘business only’ policies regarding email, and they have always been difficult to police, but [employers] still had the right to do so,” he says. “Now, in light of the board’s decision, that can be more of a risk.”

Muldowney says employers must tread carefully when reviewing or even becoming aware of employees’ emails, especially regarding employee discipline. They need to know if an email is an exercise of Section 7 rights.

“Employers must review their policies and amend them so they are not subject to attack by unions after an unsuccessful election.” — Patrick Muldowney, partner, Baker Hostetler

“Employers must review their policies and amend them so they are not subject to attack by unions after an unsuccessful election,” he said.

Advertisement




Legal experts also said the decision probably will raise questions about the definition of “nonworking” time, because the NLRB decision stated that workers only have the right to use the company email system for the labor-related issues during nonworking time, “unless an employer can show that doing so would hurt production or discipline.”

Joel Barras, a partner and employment attorney at Reed Smith in Philadelphia, said the email decision also raises a potential litigation issue.

“An employer’s communication system may also become an incredibly effective tool used to recruit members to form or join class-action cases,” he said.

Quickie Elections

While the NLRB said its “quickie-election” rule was simply “modernizing its processes,” legal experts said that reducing the time between the filing of a petition and a union election denies employers an adequate chance to stage an anti-union campaign prior to employee voting.

This rule goes into effect on April 14.

The average time for the election process is now somewhere between 38 and 42 days, experts said. The new rule can drop that number to as few as 10 or 20 days, which critics contend, creates an “ambush-election” scenario — and is a serious setback for employers trying to respond to worker demands and union promises.

Arbitration Awards

The third key NLRB decision changed the standard for deferral to arbitration awards for employees who allege they suffered retaliation or reprisal for engaging in union and/or protected concerted activity in violation of the National Labor Relations Act.

The NLRB ruled that employers urging deferral to an arbitration award now must prove that the “statutory issue” was presented to the arbitrator, that the arbitrator considered the statutory issue, and that NLRA law “reasonably permits” the award.

The rule gives the NLRB more discretion whether to exercise deference to arbitration procedures, Muldowney said.

“The standard used to be deferring to an arbitration award when it wasn’t clearly repugnant to the NLRA,” he said. “You might say this gives an employee another bite at the apple if they are not happy with an arbitration outcome. The board has said it no longer needs to automatically defer to arbitration decisions.”

GOP Control

It’s unclear whether the new Congress, with both bodies now controlled by the GOP, will make it tougher for the NLRB’s employee friendly decisions.

Muldowney said that Obama administration nominees may face a tougher approval process.

Advertisement




“It won’t be as easy to get more hardcore pro-union members through the Senate,” he said. “Or, nominees for the board could become collateral damage relating to whatever battles Congress has with the president regarding other issues — the immigration executive order, for example.”

Barras doesn’t expect current board members to be swayed by the GOP-controlled Congress, which he said, only has two levers it can pull: not approving a presidential nominee or withholding funding. The latter probably will not happen, he said.

For now, Barras recommends that organizations review personnel policies and adopt and/or strengthen existing union avoidance programs, as waiting for a petition to be filed might be too late.

“You have to stay on top of it,” he said.

Tom Starner is a freelance business writer and editor. He can be reached at riskletters@lrp.com.
Share this article:

Retail Data Exposures

Emerging Ways to Pay

New e-payment systems offer some data security advantages but they face implementation difficulties.
By: | November 17, 2014 • 6 min read
iphone6plus

With massive data breaches among big box retailers and major banks consistently making headlines, the cry for more secure consumer payment methods has reached a crescendo.

Advertisement




Yet, the critical question remains: Will emerging technologies — from “chip/pin” credit cards to Apple Pay, Google Wallet and other similar e-payment products — stem the data risk tide?

And if so, will there be a winner among the group? Will there be a single payment system that can give both retailers and their customers a sense of security that currently doesn’t exist?

It’s much too early to tell, experts said. The main challenge now may be sorting through the various technological options — in addition to the potential cost and difficulty of implementing a new standard system.

Video: Mashable took Apple’s new payment system to the streets of New York City to see how it worked.

For example, some large retailers such as Wal-Mart, Rite Aid and CVS recently announced they would not accept Apple Pay, which uses the iPhone and major credit cards as its “touchless” payment delivery system.

Those large retailers and others are planning to use an alternative e-payment technology, called CurrentC, which bypasses major credit cards completely. The retailers favor that system because it eliminates the transaction fees charged by credit card companies to retailers.

According to Aaron Press, director of e-commerce and risk solutions at LexisNexis Risk Solutions in Dallas, each of the various mobile wallet systems has its own advantages.

One key benefit of systems such as Apple Pay and CurrentC is that they do not pass actual card data to the merchant, so there is no account information either in storage or in transit that can be compromised.

“If the wallet systems are secure, then consumers benefit from not sharing their payment credentials with merchants,” he said. “This means that even in the event of a breach, the consumer will not have to worry about their information being stolen and dealing with the hassle of disputing fraudulent charges or receiving new account numbers.”

Advertisement




In addition, said David Katz, leader of the privacy and information security practice group at Nelson Mullins in Atlanta, Apple Pay’s biometric Touch ID technology makes it “difficult for a thief or imposter to use an iPhone to complete transactions fraudulently.

“Consumers whose phones are stolen or misplaced can easily use the ‘Find my iPhone’ feature to suspend all payments,” he said.

“Even if the world magically adopted chip/pin technology overnight, hackers would simply find a new way to turn card data into money.” — Russ Spitler, vice president of product management, AlienVault

However, he added, with 800 million credit cards on file — not to mention the brand new watch/fitness trackers that contain large amounts of health data — Apple may have succeeded in making itself the primary target.

Press noted that it is not yet clear whether Apple Pay or CurrentC will be vulnerable to fraudulent use.

E-wallet providers must ensure that the credentials being provisioned and used actually belong to the consumer attempting to use them, and that the applications, processes and infrastructure are secure, he said. The biometrics used with the Apple Pay process are helpful, but not a panacea.

Biometric Advances

Apple Pay, however, represents a security improvement over magnetic stripe architecture since it requires stealing a victim’s phone and successfully duplicating their fingerprint to commit fraudulent transactions, said Paco Hope, principal consultant at security consulting firm Cigital, in Dulles, Va.

Apple Pay also includes architecture (such as proxy numbers instead of account numbers) that contributes additional security, he said.

Russ Spitler, vice president of product management at AlienVault, a security provider in San Mateo, Calif., called Apple Pay a “major move” for the payment industry.

While the underlying technology is not new, Apple has the market share and mindshare to make it popular, he said. Shifts in payment technology are driven by consumer demand, not retailer preference.

Advertisement




“In the past, Apple has proven to manage private data very responsibly — they take encryption seriously and implement it well,” Spitler said. “They are still prone to attacks against their users such as the recent iCloud issues — but they are working to add more features to help safeguard even in that situation.

“With Apple Pay, I am hopeful we will turn the corner on the horrible status quo of credit cards,” he said.

Structural Challenges

Because the U.S. adopted credit cards faster than they spread across Europe, Spitler said, the infrastructure in the U.S. is antiquated and entrenched, such as the point-of-sale (POS) systems reliant on magnetic stripe technology.

Moving past that to new EMV-based credit cards (also referred to as chip-and-PIN, chip-and-signature, chip-and-choice, or generally as chip technology) will require a major retrofit of a very distributed payment system in use for a long period of time, he said.

Video: A brief look at some of the advantages and challenges with EMV technology.

“Each corner store will have to invest in new technology at great cost to themselves and without any demand from the consumer; that’s a really difficult request to make of a small business,” he said.

EMV supports dynamic authentication (numbers change with each transaction), which means a cardholder’s data is more secure on a chip-enabled payment card than on a magnetic stripe card, and is much more difficult to copy or counterfeit.

“Magnetic stripe technology makes it dirt simple to clone a card once you have the electronic data associated with it,” Spitler said.

However, he said, the use of chip/pin technology does not guarantee the long-term elimination of risk.

“Even if the world magically adopted chip/pin technology overnight, hackers would simply find a new way to turn card data into money,” Spitler said.

Hope said that payment networks are introducing risk management beyond simply accepting or denying charges. Contactless payment systems deployed in the UK, for example, are usually dependent upon a variety of limits on total amount, number of transactions and transactions per time period.

“This is what it looks like when modern risk management meets the retail experience: the strength of the security measures in place,” he said. “Retail customer data in the future will be much more carefully protected using similar designs.”

Cyber Coverage

Regardless of what type of payment system is used, Collin Hite, who leads the insurance recovery group at Hirschler Fleischer in Richmond, Va., said all businesses should have cyber insurance, even though many companies still don’t believe they are likely targets.

The first party aspects of such coverage can be critical to a business since the insurance pays for forensic investigation and re-securing the network, in the event of a data breach, he said.

“This is typically the largest cost — not the actual loss of information of the consumers,” he said.

“While we know the Fortune 500 to 1000 are considering specific cyber coverage, middle-market businesses need to understand that they are as vulnerable as the ‘big boys,’ ” he said.

Craig Young, a mobile security researcher for Tripwire, in Portland, Ore., said the best risk management strategy is to move to the next technology as quickly as possible.

Advertisement




“The ancient swipe and sign technology that dominates American retail is long overdue for a funeral,” he said. “For years, credit cards have been low-hanging fruit for thieves with a variety of techniques to steal card data, reproduce cards and start spending.”

LexisNexis’ Press added that it’s way too early to declare a front runner in mobile payments, and that magnetic stripe cards will be around for several more years.

“There is no security salvation or fraud magic bullet, but many of the new technologies offer a lot of promise,” Press said. “EMV will drastically improve POS security and reduce counterfeit fraud.  Biometrics is a promising option for identity verification.”

But, he warned, new technologies can open the window to new problems while shutting the door to known issues. Adding new technologies such as mobile, he said, increases the number of potential blind spots.

“Companies need to evaluate the risks and benefits of adding any new commerce technology or channel to their environment,” Press said.

Tom Starner is a freelance business writer and editor. He can be reached at riskletters@lrp.com.
Share this article:

OSHA Compliance

Ratcheting up Reporting Rules

OSHA’s new incident-reporting rules are more onerous and may lead to increased litigation.
By: | October 15, 2014 • 3 min read
OSHA

Everyone agrees on the merits of reducing accidental workplace fatalities and serious injuries.

Yet, according to some employment lawyers, including the former head of the U.S Department of Labor’s Occupational Safety and Health Administration, impending OSHA reporting rule changes that go into effect on Jan. 1 are going to make things look worse.

Advertisement




Under the revised rule, employers will be required to notify OSHA of work-related fatalities within eight hours, and work-related in-patient hospitalizations, amputations or loss of an eye within 24 hours.

Previously, OSHA’s regulations required report of work-related fatalities and in-patient hospitalizations of three or more employees.

“That could lead to huge numbers in terms of reporting.” — Ed Foulke,partner, Fisher& Phillips

“Under the former rules, very rarely would more than three people go to hospital in a single incident, so the new rules can exponentially increase reporting,” said Ed Foulke, former head of OSHA under George W. Bush and a partner with Fisher& Phillips in Atlanta.

Also, all employers covered by the Occupational Safety and Health Act, even those who are exempt from maintaining injury and illness records (10 or fewer employees), are required to comply with OSHA’s new reporting requirements.

Foulke said the injury reporting requirements are “significant” changes.

To complicate matters, he said, OSHA has expanded the definition of amputations, so that even the loss of the tip of the finger, for example, without bone loss, now is considered an amputation, which is a reportable injury.

“That could lead to huge numbers in terms of reporting,” he said.

Foulke also said that the updated regulations add 25 new industries — such as “bakeries and tortilla manufacturers,” auto dealers, building supplies, beer, wine and liquor stores, performing arts companies and lessors of real estate — to those required to keep OSHA 300 injury and illness records.

Those records will be posted on the OSHA website, he said.

“OSHA never talked about it during this rule-making process for three years,” he said. “Plaintiff’s attorneys, unions, anti-industry groups and other organizations can easily obtain that information, and that could lead to increased litigation.”

According to the Bureau of Labor Statistics, 4,405 workers died on the job in 2013.

In announcing the new rules on Sept. 11, U.S. Secretary of Labor Thomas Perez said workplace injuries and fatalities are “absolutely preventable, and these new requirements will help OSHA focus its resources and hold employers accountable for preventing them.”

OSHA said it will not do an inspection based on every report, but rather will “interact” with the employers who file reports.

The “most obvious effect” of the new rules, said Bill Principe, a partner in Constangy’s Atlanta office, “is that when you report one of these types of cases, you can almost expect an OSHA inspection. And that gives you a chance to prepare properly. But no one knows at this point how long you are going to have to prepare.”

“A relatively minor accident could trigger additional citations.” — Nickole Winnett, senior associate, Jackson Lewis

On the flip side, Principe said, the new regulations could overwhelm OSHA, with the sheer volume of new data coming in.

“I would believe that these types of report cases almost would take the place of general inspection schedules,” Principe said. “OSHA hasn’t said that the call-ins definitely will trigger an inspection, but that could turn out to be the case.”

Nickole Winnett, a senior associate in the Washington, D.C. office of Jackson Lewis, said the new OSHA rules “will require additional resources and time spent on providing the information, responding to follow up questions and, in some cases, being investigated for these types of accidents.”

She noted that once OSHA decides to do a worksite inspection, it can look for other safety issues as well.

“A relatively minor accident could trigger additional citations,” Winnett said.

Advertisement




The best strategy for employers, Foulke said, is to know what OSHA standards apply to them and make sure the company is in full compliance.

“They need to know what is required within every applicable standard,” he said, estimating, for example, that 50 percent of employers in the U.S. today have not done a basic workplace hazard assessment. “It’s important for several reasons, including maintaining a safer workplace.”

Tom Starner is a freelance business writer and editor. He can be reached at riskletters@lrp.com.
Share this article: