By Jessica C. Engler

Canada’s new data breach law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), became effective on November 1, 2018. The Office of the Privacy Commissioner of Canada released new guidance providing explanations of the breach reporting requirements for private-sector businesses that operate in Canada or do business with Canadian customers. The new requirements of this law, particularly the breach notification requirements, should be on the radar of any United States-based businesses that also do business in Canada.

Under PIPEDA, organizations must report security incidents to the Privacy Commission of Canada if an incident carries “a real risk of significant harm” to consumers.[1] Regardless of the size of the breach or number of affected persons, the breach must be reported if the business determines that there is a real risk of significant harm resulting from the breach. The guidance provided by the Privacy Commissioner clarifies that the organization that controls the data is the organization required to report and notify individuals of a breach. Even when an organization has transferred the data to a third party processor, the organization is still responsible for reporting and notification.

Naturally, a standard such as “real risk of significant harm” is a standard that is open to some level of subjectivity and interpretation; however, the Privacy Commissioner has offered guidance to assist businesses in their review. Significant harm is defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record and damage or loss of property.” Factors to be considered in determining whether the breach creates a real risk of significant harm include: (1) the sensitivity of the personal information involved in the breach; and (2) the probability the personal information has been/is/will be misused. “Sensitivity” is not defined by PIPED, but the concept is discussed in Principle 4.3.4 and provides some general considerations:

Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

Notification must be given “as soon as feasible” after the organization has determined a breach occurred. The notification must be conspicuous, understandable, given directly to the individual, and include several pieces of information including:

  • A description of the breach circumstance and, if known, its cause
  • The day or time period when the breach occurred
  • A description of the personal information subject to the breach
  • A description of the organization’s risk mitigation measures
  • A point of contact
  • The number of individuals affected
  • A description of how the organization will notify individuals

Organizations are required to maintain records of each data breach for at least 24 months after the date on which the breach was discovered. The records must contain sufficient information to allow the Office of the Privacy Commissioner to confirm that the organization has complied with the law.

The new law, which has been in the works for quite some time, includes extensive requirements and regulations in the event of a breach. In the event that a business determines that the sensitive information of a Canadian customer has been breached, the business would be well advised to consult with an attorney knowledgeable about PIPEDA and Canada’s data security laws.

***********************************************

[1] “What you need to know about the mandatory reporting of breaches of security safeguards”, Office of the Privacy Commissioner of Canada (available at https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/#_Part_1).

By Sarah W. Anderson

On November 1, 2018, Senator Ron Wyden, a democrat from the state of Oregon, introduced a bill that attempts to create a stronger consumer privacy act.[1] The draft legislation, referred to as the Consumer Data Protection Act, SIL18B29 (the “Bill”), amends and increases the powers of the Federal Trade Commission (“FTC”).[2]

According to Senator Wyden’s webpage, he drafted the Bill due to “[t]he explosive growth in the collection and sale of consumer information enabled by new technology poses unprecedented risks for Americans’ privacy,” which he believes the Federal Government continually fails to address. [3]  Therefore, Senator Wyden’s Bill both imposes greater security protection standards and sharpens the FTC’s teeth in terms of enforcement.

The Bill permits the FTC, as the “nation’s main privacy and data security regulator” to fine and yes, even jail, American executives for failure to protect consumer information. Specifically, the Bill proposes the following powers and tools for the FTC, which Senator Wyden hopes will give Americans greater privacy and control over their own personal data:

  1. Establish minimum privacy and cybersecurity standards.
  2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
  3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
  4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
  5. Hire 175 more staff to police the largely unregulated market for private data.
  6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.”[4]

Additionally, businesses with annual revenue exceeding $1 billion, which also store data of more than 50 million consumers, will have to submit an annual data protection report to the FTC detailing its compliance with relevant security regulations. What’s more, in proposed §1352(b), entitled “Failure of Corporate Officers to Certify Data Protection Reports,” Chief Executive Officers, Chief Information Security Officers, and Chief Privacy Officers may be jailed for failure to certify and file annual reports to the FTC that document company efforts to comply with the Bill.

An executive’s first offense of this section will result in a fine “not more than the greater of $1,000,000.00 or 5 percent of the largest amount of annual compensation the person received during the previous 3-year period…imprison[ment] not more than 10 years, or both[.]” The same section prescribes that “intentional[ly]” certifying false statements for annual reports will result in a fine of “not more than the greater of $5,000,000.00 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period” or imprisonment “not more than 20 years, or both[.]”[5]

If passed, the Bill would represent a massive overhaul and increase in the FTC’s powers and available punishments. Generally, the FTC currently only has privacy protection powers under theories of “unfair trade practices.”

*****************************************************

[1] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[2] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

[3] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[4] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-one-pager

[5] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

By Sarah W. Anderson

While an ocean away, supermarket Morrisons’ loss in the United Kingdom’s appellate court should act as a warning to all United States-based and international companies. On October 22, 2018, Morrisons lost its recent appeal in a landmark high-court ruling, being held vicariously liable for a former employee, Andrew Skelton’s intentional actions that lead to the leak of more than 100,000 of its employees’ personal information. This decision came down despite Morrisons’ demonstration that it had lawfully discharged its obligations under the United Kingdom’s Data Protection Act of 1998. In July 2015, Skelton was sentenced to eight years in prison.

This decision represents the United Kingdom’s warning that organizations have a significant duty to protect the personal data of their customers and employees that is beyond the applicable data breach protection rules issued by varying countries. And with 5,558 members of the Class Action, it is expected that Morrisons will face a hefty compensation ruling. According to Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the class, “Large corporations take responsibility when things go wrong in their own business and cause harm to innocent victims.   It is important to remember that data protection is not solely about protecting information – it is about protecting people.”  A spokesperson for Morrisons publicly stated that they will now appeal this decision to the Supreme Court.

Going forward, compliance officers for various corporations should anticipate legal responsibility for any type of data breach under the legal theory of vicarious liability if the Morrisons decision crosses the Atlantic. This is yet another signal of the importance to improve security protocols for company data, as well as additional screening for employees entrusted with that data.

Indeed, on October 26, 2018, the Middle District of North Carolina approved a class-action settlement for a 2016 disclosure of personal identifying information of employees of HAECO Americas, Inc. (“HAECO”), after W-2 statements were leaked in response to a phishing scheme. See David Linnins, et al v. HAECO Americas, Inc., 2018 WL 5312193 (M.D.N.C., 2018). The class action plaintiffs “asserted claims for negligence, invasion of privacy, and violation of the North Carolina Unfair and Deceptive Trade Practices Act[,] which included an alleged violation of the North Carolina Identity Theft Protection Act.” Id. at *1. According to published details of the settlement agreement, HAECO agreed to the following terms:

  • Provide affected parties with 2 years of Experian Protect MyID Elite services;
  • Reimbursement of $350 for members of the class that previously purchased similar identity theft monitoring programs;
  •  Establish a claim fund in the amount of $312,500 to compensate class members for damages, expenses, and inconveniences they incurred; and
  • HAECO agreed to take data and cyber security steps, including mandatory cyber security training for all employees, for at least three years. Id. at *1-*2.

The Middle District of North Carolina further ordered that the Plaintiffs’ counsels’ request for $150,000.00 in additional attorneys’ fees was reasonable. Id. at *4.

By Angela W. Adolph

Opportunity Zones (“OZs”) were added to the US Tax Code by the 2017 Tax Cuts and Jobs Act (“TCJA”).  OZs are economically-distressed communities where new investments, under certain conditions, may be eligible for preferential tax treatment. Communities are nominated by the states and approved by the Treasury Department as designated OZs.

OZs are designed to spur economic development by providing tax benefits to investors. First, investors can defer tax on any prior gains invested in a Qualified Opportunity Fund (“QOF”) until the earlier of the date on which the investment in a QOF is sold or exchanged, or December 31, 2026.   If the QOF investment is held for longer than 5 years, there is a 10% exclusion of the deferred gain.  If held for more than 7 years, there is a 15% exclusion of the deferred gain.  Second, if investments in the QOF are held for at least ten years, investors are eligible for an increase in basis of the QOF investment equal to its fair market value on the date that the QOF investment is sold or exchanged.  Importantly, investors do not have to live in the OZs in order to take advantage of the benefits; they need only invest a recognized gain in a QOF and elect to defer the tax on that gain.

Last week, the Treasury Department released the first set of proposed regulations and a related revenue ruling for OZs.   The proposed regulations provide for the types of gains that may be deferred, the timing to invest such gains in QOFs, and the mechanism for selecting deferral of such gains. The proposed regulations also address self-certification of the QOF, valuation of QOF’s assets, and identification of OZ businesses.

Revenue Ruling 2018-29 addresses issues related to the qualification of an existing building and land in an OZ as OZ Business Property (“OZBP”).  OZBP is tangible property used in a trade or business of the QOF (1) that is purchased by the QOF after December 31, 2017; (2) the original use of which commences with the QOF or the QOF substantially improves the property; and (3) during the QOF’s holding period, substantially all of the use of such property is in the OZ.  OZBP is treated as substantially improved by the QOF if, during any 30-month period beginning after the date of acquisition, additions to basis exceed the adjusted basis of such property at the beginning of such 30-month period.

The Revenue Ruling notes that, given the permanence of land, land can never have its original use in an OZ commencing with a QOF.  The Ruling then holds that, regarding an existing building located on land that is wholly within an OZ, the original use of the building in the OZ is not considered to have commenced with the QOF, and the original use requirement is not applicable to the land on which the building is located.  Second, substantial improvement to the building is measured by the QOF’s additions to the adjusted basis of the building. Finally, measuring substantial improvement to the building does not require the QOF to separately substantially improve the land upon which the building is located.

The Treasury Department and IRS anticipate providing additional information, including additional legal guidance, on this new tax benefit over the next few months.

By Sarah Anderson

Adding publicity to the recent string of security breaches, Gemalto’s Breach Level Index released information on October 9, 2018 stating that for the first half of 2018, approximately 291 records were stolen or exposed every single second.[1]  Gemalto estimates that 945 data breaches led to the release of 4.5 billion data records being compromised worldwide, which increased approximately 133% in the last year.  These data breaches came from varying industries, with health care representing 27% of data breach incidents and the financial sector following with an estimated 14% of the data breach incidents.  Of all the data and records stolen, it is estimated that just 1% of this data was encrypted and only 9% of the security breaches were the result of an accidental loss.

This information comes as more than just a P.S.A. Both threatened and actual data security breaches pose a significant legal threat to all types of businesses – large and small, global and local. Therefore, many forward thinking organizations are increasing their security systems and updating policies to mitigate potential legal claims for security breaches.

While the question of whether or not the fear of identity theft following a data breach is sufficient to constitute standing for a class action is largely undecided in the United States, the United Kingdom’s High Court already answered in the affirmative. More than 5000 current and former employees of Morrison’s, an online supermarket, are suing their former employer in a class action for damages related to a data leak that resulted in exposure to potential identity theft and financial losses. In 2014, a former Morrison’s employee leaked 100,000 names, addresses, bank account details and salaries of his co-workers online and sent it to a newspaper.[2] While Morrison’s spent more than 2 million pounds to mitigate the effects of and remedy the breach, the issue of monetary damages that it may owe its former employees remains outstanding.

The Morrison’s matter was the first data leak class action in the United Kingdom.[3] In 2017, the High Court ruled that Morrison’s was vicariously liable for this criminal data breach by its former employee and allowed those affected by the data breach to claim compensation for distress. Morrison’s is presently appealing this ruling.[4]

No similar legal battle has yet played out so openly in the United States, as Target’s 2017 data breach resulted in a multi-million dollar settlement with the affected customers.  However, with the ongoing and ever increasing number of cyber threats and attacks on both private and public organizations, it is expected that victims of data breaches may become the next wave of class action plaintiffs.

If you have questions on how to protect your business and/or mitigate such claims in the future, please contact Sarah Anderson and Erin Kilgore.

____________________________________________

[1]https://www.gemalto.com/press/Pages/Data-Breaches-Compromised-4-5-Billion-Records-in-First-Half-of-2018.aspx

[2] https://www.bbc.com/news/uk-england-42193502

[3] https://www.theregister.co.uk/2018/10/09/morrisons_data_breach_appeal/

[4] https://www.bbc.com/news/uk-45793598

 

By Scott Huffstetler

On May 12, 2016, the U.S. Occupational Safety and Health Administration (“OSHA”) published a rule that required a “reasonable procedure” for employees to report work-related injuries and illnesses and prohibited retaliation against employees who report such injuries or illnesses.  The regulations defined an unreasonable procedure as one that deterred or discouraged a reasonable employee from accurately reporting a workplace injury or illness.  Although no portion of the rule itself expressly prohibited post-accident drug and alcohol testing, commentary accompanying the rule stated drug testing policies should limit post-incident testing to situations in which employee drug use is likely to have contributed to the incident and for which the drug test can accurately identify impairment caused by drug use.  Since then, there has been great uncertainty among employers as to when post-accident drug and alcohol testing policies and procedures could be applied.  Last week, on October 11, 2018, OSHA issued a memorandum clarifying that the Department’s position is that the May 2016 rule does not prohibit post-incident drug testing.  The memorandum stated that most instances of workplace drug testing are permissible under the rule and then listed the following as examples: (a) random drug testing; (b) drug testing unrelated to the reporting of a work-related injury or illness; (c) drug testing under a state workers’ compensation law; (d) drug testing under other federal law, such as a U.S. Department of Transportation rule; and (e) drug testing to evaluate the root cause of a workplace incident that harmed or could have harmed employees.  Of course, the memorandum included the caveat that the testing must include all employees whose conduct could have contributed to the incident, not just employees who reported injuries.  Assumedly, doing the latter could still subject the employer to retaliation.  To read the complete memorandum, click here.  

By Beau Bourgeois

The United States District Court for the Western District of Louisiana recently relied on Louisiana Revised Statutes 9:2779 in holding unenforceable a mandatory forum selection clause in a construction contract.[1] Pittsburg Tank & Tower Maintenance Co., Inc. (“Pittsburg”) contracted with the Town of Jonesboro (the “Town”) to perform maintenance and repair work on an elevated water tower in the Town. Pittsburg issued to the Town its standard form contract, which contained a provision stating, “This contract is governed by the laws of the Commonwealth of Kentucky and any claim should be filed with the Commonwealth of Kentucky.”

After becoming dissatisfied with the work, the Town filed suit in Louisiana state court. After having the case removed to federal court, Pittsburg moved to have the Court transfer the case to the Western District of Kentucky based on the contract’s forum selection clause, quoted above. Although acknowledging that forum selection clauses are generally enforceable, the Court found that extraordinary circumstances prevented its enforceability here.

The Court relied on R.S. 9:2779 for its holding, which provides in pertinent part:

The legislature finds that, with respect to construction contracts . . . for public and private works projects, when one of the parties is domiciled in Louisiana, and the work to be done and the equipment and materials to be supplied involve construction projects in this state, provisions in such agreements requiring disputes arising thereunder to be resolved in a forum outside of this state or requiring their interpretation to be governed by the laws of another jurisdiction are inequitable and against the public policy of this state.

In summary, R.S. 9:2779 generally provides that for “construction contracts” where the work is in Louisiana and one of the parties to the contract is “domiciled” in Louisiana, a forum selection clause that selects a forum outside of Louisiana or a choice of law provision that selects the law of another state is against public policy and will not be enforceable.

In the Pittsburg Tank case, there was no doubt that one of the parties, the Town of Jonesboro, was a Louisiana domiciliary and that the work was performed in Louisiana. Thus, after finding that the contract was, in fact, a “construction” contract,[2] the Court determined that the case should not be transferred because the clause was unenforceable as against Louisiana’s public policy.

Although under Louisiana law, parties may generally agree that actions involving a contract be brought in another state or be subject to the law of another state, for contracts related to a construction project in Louisiana, R.S. 9:2779 may make their agreement unenforceable. Any contractor or owner wishing to perform construction work in Louisiana must be aware of R.S. 9:2779’s implications in order to appropriately set its expectations for the proper forum and applicable law in the undesirable event of a dispute.

_______________________________________

[1] Town of Jonesboro v. Pittsburg Tank & Tower Maintenance Co., Inc., No. 17-1589, 2018 WL 3199476 (W.D. La. Feb. 12, 2018).

[2] The Court spends a substantial portion of the opinion addressing whether Pittsburg’s scope of work should be considered a “construction” or “maintenance” contract. The Court used the “principal value” test to determine that the contract was a “construction” contract such that R.S. 9:2779 applies.

By Sarah W. Anderson

On September 27, 2018, Gov. John Bel Edwards declared October to be Cybersecurity Awareness Month in the State of Louisiana, signing a Proclamation in front of members of the Louisiana Cybersecurity Commission.  By signing this Proclamation, Gov. Edwards is simultaneously kicking off a Cybersecurity Awareness Campaign promulgated by the Louisiana Cybersecurity Commission.   The goal of the Louisiana Cybersecurity Commission, the Proclamation, and Cybersecurity Awareness Month Campaign is to enhance and improve Louisiana’s cybersecurity ecosystem.  Gov. Edwards stated at the Proclamation signing that, “There is no doubt that Louisiana is a leader in cybersecurity.”  He emphasized that “No state has more protections for its citizens and its businesses than Louisiana.”  Gov. Edwards referenced upcoming proposed legislation concerning cybersecurity protections for Louisiana citizens and businesses during his remarks following the Proclamation signing.  The Proclamation signing and the formation of the Louisiana Cybersecurity Commission follow Louisiana’s recently updated data breach notification laws that went into effect earlier this year. Copies of both the Proclamation and Cybersecurity Awareness Campaign Model can be found on the Louisiana Cybersecurity Commission’s website found here.

Kean Miller attorneys will continue to update their clients on relevant cybersecurity news and changes in any relevant legislation and regulations.  If you have any questions concerning this, please contact Sarah Anderson and Jessica Engler from Kean Miller.

By James R. “Sonny” Chastain, Jr.

In a recent Supreme Court decision involving the Fourth Amendment, Justice Roberts noted that there are 396 million cell phones accounts in the United States for a nation of only 326 million people.  The cell phone provides numerous functions including access to contacts, data, information and the internet.  Some studies suggest people check cell phones every ten minutes and are less than five feet away from the phone most of the time.  It seems the cell phone has become an integral part of daily living. While the development may be productive in terms of the overall access to information, it also creates certain risks that employers should consider.

In many instances companies operate on a platform of bring your own device to work (“BYOD”).  Employers should consider what business information may be available to that employee on his or her personal cell phone.  An employer is vulnerable if an employee is connected to the employer’s computer system and can access valuable confidential information through the cell phone.   The risk is that the employer’s business information may “walk” out the door with the employee.  Moreover, if the information gets comingled with the employee’s personal information, there could be a problem in terms of “unscrambling” or wiping the phone on departure.   Certainly one approach is to not permit the employee to have access to the information on the phone.   However, an employee may need access in order to perform his or her job responsibilities.  Employers should consider whether to have a cellular phone policy that addresses how employees should use the phone, any issues regarding expectation of privacy, ownership of information, and wiping upon termination.

Additionally, a cell phone may cause distracted driving. Whether ringing, beeping, vibrating – the cell phone may cause drivers to lose focus.  A driver’s perceived belief that the ever important text/email may have just come in can create an overwhelming desire to check/respond.  To the extent an employee is on the road, the temptation to text, call or open an app may create serious risks.   Distracted driving is alleged to be a contributing factor in 80% of the automobile accidents on the road today.  Employers need to recognize this risk and be proactive in addressing it.  Employers should consider having a policy regarding the use of cell phones while driving.

Cell phones are integrated into our daily activities – just look around at any restaurant, getting on an elevator, or at a stop light.  No matter the time, place or circumstances, staying connected seems to be of utmost importance.  A cell phone is certainly very beneficial in terms of facilitating access to people and information.  However, cell phones may also bring about certain risks.  Employers may want to consider the risks which that may be applicable to it and any policies to put in place to address them.

By Angela W. Adolph

The Industrial Tax Exemption Program (ITEP) is a key tax incentive for manufacturers looking to expand or build facilities in Louisiana.  The property tax exemption is authorized in the Constitution and is administered by the Louisiana Department of Economic Development (LED).  Historically, exemption contracts were approved at the state level and manufacturers enjoyed ten years of 100% property tax exemption on eligible capital expenditures.  In 2016, Gov. John Bel Edwards issued two Executive Orders that upended the program by making local approval of the exemption a prerequisite to LED application and consideration, and reducing the number of years and percentage of exemption on eligible capital expenditures.

In early 2018, LED proposed revisions to reinstate much of the old ITE program.  Manufacturers once again enjoy ten years of exemption, but only as to 80% of property tax liability.  Additionally, LED regained initial approval authority, with local governmental entities having a short window for an “up or down” vote on any LED-approved project.  This allows for a more efficient process as applications will receive automatic approval if the local governmental entities take no action within the specified time.

The last few weeks have been significant for ITEP:  the Board of Commerce and Industry approved the first batch of exemption contracts under the new rules at its August 29th meeting.  And, on September 19th, the Louisiana Tax Commission approved new rules regarding reporting exempt property, including manufacturing establishments with ITEP contracts. Parish assessors are now required to classify ITEP property on their tax rolls and report the start/end date of any exemption contract, the fair market value and assessed value of exempt property, the exemption percentage and value of the exemption contract, and the amount of property tax subject to exemption.  Finally, LED has gone completely digital, and ITEP applications must now be submitted online through the Fastlane system.