Subject: GEA Newsletter - Special #92 June 7th

View this email online if it doesn't display correctly
Special #92 June 7th, 2021
Twitter
LinkedIn
GOOD News!!
We're Back to 
In-Person Workshops!!

Dates of Workshops:

08/25/21    Leadership I
09/15/21    Leadership II
10/06/21    Leadership III
10/27/21    Leadership IV
11/17/21    Leadership V
12/04/21    Leadership VI


Location: 
Fickling Building
577 Mulberry Street, Macon, GA 31201
16th Floor Cherry Blossom Suite


For Overview visit here: 


Pete's Corner - Article 2
The Future of Work is Still Human
By Pete Tosh 
The Focus Group

Over the past year, the workplace has undergone unprecedented change. Schedules, workflows, work locations and communication processes have been continually disrupted and rearranged.

To better understand how employees are adjusting to these changes, earlier this year Workhuman conducted a survey of U.S. employees across a broad range of industries, departments, and positions. The employees reported feeling:
  • Their organizational culture has shifted – 60%
  • They have less human connection – 59%
  • More anxious – 37%
  • Isolated – 31%
  • Overwhelmed – 28%
  • It’s difficult to adjust to the new way of working – 27%
  • Less motivated – 24%
We all know that human connections directly impact retention and productivity. Employees can’t flourish and do their best work when they are feeling mentally strained and/or coping with too much uncertainty

Employee engagement is the fuel for & a leading indicator of an organization’s financial performance. It’s not a nicety but a competitive advantage. But it’s difficult for leaders to objectively know how front-line employees feel about the organization and whether supervisors are engaging or disengaging their teams.

Employee Engagement Surveys – when conducted formally, objectively, using proven questions and with employees’ responses segmented by supervisor - can provide leaders with actionable information.

We at The Georgia Employers’ Association are helping member companies implement the following approaches to enhance their levels of employee engagement, productivity and profitability:
  • Surveying employees to determine their current state of engagement
  • Then providing managers with practical, tools used by the most effective managers to enhance employee engagement
Give us a call if you’d like examples of how member companies have improved their level of employee engagement and benefitted from the resulting organizational performance improvements. Pricing for our base GEA survey is $35-40 per employee.

Georgia Employers' Association
Phone: 478-722-8282

HR and Employment Law News 
Constang.com LEGAL BULLETIN:
Legal Bulletin #891

The Computer Fraud and Abuse Act now provides less protection from insider threats. Here’s what employers need to be doing.

By Ron Sarian / Los Angeles Office

Because of a recent U.S. Supreme Court decision, the federal Computer Fraud and Abuse Act has become less protective of employers’ rights to be free from theft or sabotage by employees and others with access to those systems.

In Van Buren v. United States, the Court ruled that Section 1030 of the CFAA does not apply to individuals who had legitimate access to an employer’s computer systems but then misused the systems in some way.

Background 

The Computer Fraud and Abuse Act was enacted in 1986 as an amendmentto the 1984 Comprehensive Crime Control Act. The CCCA was the first federal computer fraud law designed to address hacking in cases involvinga compelling “federal interest” (that is, where computers of the federal government or certain financial institutions are involved or where the crime itself was interstate in nature). The CCCA, codified as 18 U.S.C. 1030, consisted of three new federal crimes that covered certain conduct by a person who “knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend[.]” The crimes were limited to three specific scenarios tailored to particular government interests: computer misuse to obtain national security
secrets, computer misuse to obtain personal financial records, and hacking into government computers.

With the CFAA, Congress broadened the protection by adding three new prohibitions. Section 1030(a)(4) prohibited unauthorized access with intent to defraud; section 1030(a)(5) prohibited accessing a computer without authorization and altering, damaging, or destroying information; and section 1030(a)(6) prohibited trafficking in computer passwords. The amendment
also provided additional penalties.

Until it was amended in 1994, the CFAA provided only criminal penalties for engaging in prohibited conduct. At that point, Congress added a civil cause of action for CFAA violations that gave private parties the ability to obtain compensatory damages, injunctive relief, and other equitable relief.
Congress also expanded the CFAA to cover several other computer-related acts, including theft of property via computer that occurs as part of a scheme to defraud; intentional alteration, 
damage, or destruction of data belonging to others; distribution of malicious code and denial of service; and trafficking in passwords and similar items. Section 1030(a)(5) was amended to provide further protection from unauthorized access resulting in damage, even if the damage was accidental and without negligence. It was also extended to outsiders gaining unauthorized access, and to insiders who intentionally damaged a computer.

Congress has broadened the scope and coverage of the CFAA through eight subsequent amendments, including in 1996, in 2001 (by the USA PATRIOT Act of 2001), in 2002, and in 2008 (by the Identity Theft Enforcement and Restitution Act).

However, federal appeals courts have disagreed about whether a person violates the CFAA when accessing information via a valid log-in or other legitimate authorization for an improper purpose. That uncertainty has now been put to rest.

Van Buren v. United States

Earlier this month, the U.S. Supreme Court adopted a “gates-up-or-down” approach. A former police sergeant in Georgia used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although Nathan Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes. Unbeknownst to Mr. Van Buren, his actions were part of an FBI sting operation. Mr. Van Buren was charged with a felony violation of the CFAA, which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” He was convicted, and his conviction was upheld by the U.S. Court of Appeals for the Eleventh Circuit. The Supreme Court agreed to review the decision.

In an opinion delivered on June 3 and written by Justice Amy Coney Barrett, the majority ruled that Section 1030 is so broadly written that it has been used well beyond its main purpose, which is to prohibit and punish illegal hacking of computer networks. As explained by the majority, “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.” Justice Barrett reasoned that because employers commonly state that computers and electronic devices can be used only for business purposes, then an employee who does something as innocuous as sending a personal e-mail or reading the news on her work computer has violated the CFAA.

The focus of the Supreme Court’s analysis turned on the meaning of “so,” as used in Section 1030, which defines the phrase “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” (Emphasis added.) The word “so,” the majority reasoned, is “a term of reference,” and thus the phrase “so to obtain” means to obtain in “the same manner as has been stated.” That manner is “via a computer one is otherwise authorized to access,” and therefore the phrase “is not entitled so to obtain” must be read as “not allowed to obtain by using a computer that he is authorized to access.” 

Thus, the majority held that individuals “exceed[] authorized access” only when they access computers with authorization but then obtain information located in particular areas of the computer – such as files, folders, or databases – that are off-limits to them. Because Mr. Van Buren had legitimate access to the area of the computer from which he accessed the license plate information, he did not violate the CFAA, even though he used that information for an improper purpose.

How employers can protect their businesses after Van Buren

Clearly, Van Buren narrows the grounds upon which an organization may civilly or criminally enforce its data access and use policies. Although it was a criminal case, Van Buren has clear implications for employers who learn that their employees (oftentimes, departing employees) have accessed company servers and downloaded confidential information for their own purposes. So what should employers do now? Preliminarily, it should be noted that numerous other laws continue to apply, such as the federal Defend Trade Secrets Act, state trade secret and trespass laws, and business torts (for example, breach of the duty of loyalty). In addition, invention assignment/confidentiality agreements, non-disclosure agreements, and noncompete agreements containing express prohibitions on unauthorized use and disclosure should provide employers with ample grounds for
civil lawsuits.

Employers should already have these agreements in place, but must review them to ensure that they’re in step with the current laws. Even better, employers should take steps to prevent an unauthorized access issue from arising in the first place. This can be accomplished in a number of ways:

  • Undertake data mapping to determine where sensitive data, customer lists, intellectual property, and trade secrets reside on the network – and restrict access to them by adopting the security measure of “least privilege” and giving access to more sensitive information or trade secrets only to those employees who truly need such access.
  • Review data use policies and contractual agreements to identify the “insiders” who may have access to corporate networks, including employees, contractors, vendors, or others. Review all contractor and vendor agreements in place with regard to access granted, and implement technological restrictions in addition to the contractual.
  • Review the external entry points to your digital infrastructure and consider whether additional measures are necessary, such as switching to a more restrictive access or monitoring the efforts of data scrapers in order to potentially revoke their authorizations.
Conclusion

Your company’s infrastructure should be covered from all angles to prevent unauthorized access to sensitive information. In light of the holding of Van Buren, the foregoing requirements take on an even greater sense of urgency.



HRDive.com BRIEF:
Biden executive order sets DEI, accessibility standards for federal workforce



Published July 2, 2021
Emilie Shumway / Associate Editor

Dive Brief:
  • On June 25, President Biden signed an executive order with the aim of "strengthen[ing] the Federal workforce by promoting diversity, equity, inclusion, and accessibility" and creating a workforce that "reflects the diversity of the American people."

  • The order directs the formation of a government-wide diversity, equity, inclusion and accessibility (DEIA) initiative and a DEIA strategic plan, due 150 days from the order’s signing.......Read more>>>
Constangy.com Blog:
A few grains of salt about that COVID vaccine decision from Texas
BY ROBIN SHEA ON 7.2.21
POSTED IN CORONAVIRUS, VACCINATION

Don't rely on it too much -- yet.

We recently got our first federal court decision addressing whether an employer had the right to require employees to be vaccinated for COVID-19. The court's answer was yes.

The Houston Methodist Hospital System issued a directive in March requiring that all executives, managers, and new hires be fully vaccinated by a deadline. Everyone complied.

Then, in April, the hospital extended the directive to all employees. Any employee who was not fully vaccinated by June 7 would be placed on a two-week suspension. Employees who were not vaccinated by the end of the suspension period were to be terminated.

(The hospital did follow the guidance issued by the Equal Employment Opportunity Commission by making exceptions for employees with medical conditions -- including pregnancy -- that precluded them from being vaccinated, and also for employees with religious objections.)

In late May, Jennifer Bridges and 116 other employees who were not vaccinated and apparently didn't qualify for an exemption, filed suit against the hospital, claiming that because the current vaccines have only an Emergency Use Authorization from the Food and Drug Administration, the hospital's actions are tantamount to human experimentation without the subjects' consent. In support of their contention, the employees cited portions of the federal Food and Drug Act and the Nuremberg Code.

According to the lawsuit, termination for failing to receive a vaccine that had only an EUA would be a wrongful discharge in violation of the public policy of the State of Texas. The plaintiffs asked the court for a restraining order (prohibiting the hospital from following through on the terminations), and also sought money, natch.

U.S. District Court Judge Lynn N. Hughes denied the motion for a restraining order, and then threw out the lawsuit entirely in a four-page decision.

Not long afterward, the plaintiffs who had not already resigned from the hospital were fired because they never got vaccinated.

In all, a big victory for mandatory COVID vaccines in the workplace. But here's why I think employers -- especially those outside of Texas -- should be cautious about relying too much on the Bridges decision:

Reason No. 1: The plaintiffs in this case have already appealed to the U.S. Court of Appeals for the Fifth Circuit. I think their appeal may have more than a snowball's chance in Hades of succeeding. Here's why:

At the "motion to dismiss" stage, the court is supposed to assume that the allegations in the lawsuit are true. The idea behind it is this: A motion to dismiss seeks to get a lawsuit thrown out from the get-go -- not only before the case would actually go to trial, but also before the parties engage in discovery, and even before the defendant admits or denies the allegations. So, for a defendant to get a dismissal at this very, very early stage, the judge has to give the plaintiff the benefit of every doubt.

Only if, bending over backward for the plaintiff, the court finds that the lawsuit would not support a claim that is recognized in the law -- only then can the court dismiss the lawsuit.

Here's an example. Let's say my boss fires me because I'm incompetent. But I think he fired me because I have a nicer house than he does, and he's jealous.


I sue my employer for wrongful discharge, and my boss asks the court to dismiss my lawsuit. When ruling on the motion, the court will take my word for it that I really was fired for no reason other than my boss's envy of my big, beautiful house. At this stage, the court won't even consider the possibility that I was fired for being incompetent. But the court will throw out my lawsuit anyway because it's not against the law to fire an employee because of house envy. (Unfair, yes. Illegal, no.) Even if my allegations are true, I have "failed to state a claim for which relief may be granted."

Back to our vaccine case. I'm not sure the judge assumed everything the plaintiffs said was true. For example, he says, "Bridges dedicates the bulk of her pleadings to arguing that the currently-available COVID-19 vaccines are experimental and dangerous. This claim is false." (Emphasis added.) He goes on to say that his decision isn't based on "[v]accine safety and efficacy," but couldn't safety and efficacy be relevant to the merits of the lawsuit?

(Don't get me wrong. I am not saying that it isn't legitimate for an employer -- and especially a health care employer -- to require vaccination, but the fact remains that the vaccines haven't been around very long, and they don't yet have full FDA approval.)

The judge also blasts the "press-release style of the complaint," calls the plaintiff's citation of the Nuremberg Code "reprehensible," and says that it is not "coercion" for an employer to direct an employee to do something under penalty of termination.

In short, I don't think Judge Hughes bent over backward for the plaintiffs here.

(The FDA's explanation of Emergency Use Authorization is available here, and a good lay person's explanation from UNC Health is available here.)

Thus, it would not shock me if the Fifth Circuit were to find that dismissal at this very early stage was premature. Not that the hospital is necessarily in the wrong and won't ultimately win, but only that it may have been too early to dismiss the lawsuit.

Reason No. 2:Under Texas law, there is apparently no cause of action for wrongful discharge in violation of public policy unless the employer forces the employee to engage in an illegal act that could subject the employee to criminal liability. And ordering your employees to get a vaccine is not such an act -- even if the vaccine has only an EUA.

But for you employers in other states, be aware that the Texas wrongful discharge standard is pretty narrow. Many states -- perhaps including your own -- have more generous definitions of "public policy" that could, at least arguably, include requiring an employee to get a vaccine that had been only provisionally approved.

And even in Texas, I'd be "from Missouri." Only the Texas state courts can decide whether to expand the cause of action for wrongful discharge. Federal courts do not have the power to do this. But the Fifth Circuit could ask the Texas Supreme Court to decide whether terminating an employee for refusing to get a vaccine with only an EUA violates the public policy of the state. If so, then who knows what will happen? If the Texas court adopted a new standard, the federal courts would have to follow it. Whatever it may be.

Reason No. 3: Based on the attachments to the lawsuit, it appears that Houston Methodist was willing to be health care industry leader, and therefore a "test case," on the issue of mandatory vaccines. Other employers may be less willing to take that risk.

Reason No. 4:
Even if Judge Hughes's decision stands, it applies only in the Southern District of Texas or (if the hospital wins on appeal) the Fifth Circuit states of Louisiana, Texas, and Mississippi. Federal courts in other parts of the country are free to take a different position.

So the Bridges decision is encouraging for employers who want to require vaccines, but it is not definitive. I'd take it with a grain of salt until we hear from other courts.



LinkedIn
Twitter

Georgia Employers' Association
Georgia Employers' Association, 577 Mulberry Street, Suite 710, 31201, Macon, United States
You may unsubscribe or change your contact details at any time.